Source
Zero Science Lab
The FM transmitter uses a weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.
The application suffers from an authentication bypass and account takeover/lockout vulnerability that can be triggered by directly calling the users object and effectively modifying the password of the two constants user/role (user/admin). This can be exploited by an unauthenticated adversary by issuing a single POST request to the vulnerable endpoint and gain unauthorized access to the affected device with administrative privileges.
Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages.
The Cookie 'polyeco' is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication and manipulate the transmitter. The session is also visible in an HTTP GET request and there is the lack of SSL in use, allowing MitM attacks.
The Cookie session ID 'id' is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication and manipulate the transmitter.
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
The application suffers from improper access control when editing users. A user with Read permissions can manipulate users, passwords and permissions by sending a single HTTP POST request with modified parameters and edit other users' names, passwords and permissions including admin password.
The application suffers from a privilege escalation vulnerability. A user with Read permissions can elevate his/her privileges by sending a HTTP POST request setting the parameter 'auth1' or 'auth2' or 'auth3' to integer value '1' for Write or '2' for Admin permissions.
The Cookie session ID 'id' is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication and manipulate the transmitter.
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.