credits: Malvuln (John Page aka hyp3rlinx)
Login.php webpage accepts HTTP GET “l” and “p” parameters which are passed to the backend server side code: $_GET[“l”] name=\”login\”, $_GET[“p”] , name=\”password\”. However, there is no secure coding practice of filtering input or sanitization of output. Panel users who visit a third-party attacker website or click an infected link, can trigger arbitrary client side JS code execution in the security context of the current user. This can result in data theft or GEO location disclosure of the user accessing the Amadey web interface.
The submit button contains the text “Unlock”.
Entering incorrect password results in URI of “?wrong=1” and displays “Wrong login or password”, after a few seconds delay redirects back to Login.php.
Wrong login or password
The web panel HTML source code for the URL “Login.php?wrong=1” contains the letters “CC” plus the Domain/IP within brackets[x.x.x.x] within the HTML title tag.
%3Ctitle%3E CC [127.0.0.1] %3C/title%3E
Tested successfully in Firefox.
Exploit/PoC:
Vulnerable parameters: “l” and “p”
Login.php webpage accepts HTTP GET “l” and “p” parameters which are passed to the backend server side code: $_GET[“l”] name=\”login\”, $_GET[“p”] , name=\”password\”. However, there is no secure coding practice of filtering input or sanitization of output. Panel users who visit a third-party attacker website or click an infected link, can trigger arbitrary client side JS code execution in the security context of the current user. This can result in data theft or GEO location disclosure of the user accessing the Amadey web interface.
The submit button contains the text “Unlock”.
Entering incorrect password results in URI of “?wrong=1” and displays “Wrong login or password”, after a few seconds delay redirects back to Login.php.
Wrong login or password
The web panel HTML source code for the URL “Login.php?wrong=1” contains the letters “CC” plus the Domain/IP within brackets[x.x.x.x] within the HTML title tag.
%3Ctitle%3E CC [127.0.0.1] %3C/title%3E
Tested successfully in Firefox.
Exploit/PoC:
Vulnerable parameters: “l” and “p”