InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass

Title: InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass
Advisory ID: ZSL-2016-5373
Type: Local/Remote
Impact: Security Bypass, Cross-Site Scripting
Risk: (4/5)
Release Date: 28.10.2016
Summary
InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is a highly efficient cient application for saving not only the IP remote accessories cost, but also the true IP addresses required on the PDU management.
Description
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources and functionalities in the system directly, for example APIs, files, upload utilities, device settings, etc.
Vendor
Austin Hughes Electronics Ltd. - http://www.austin-hughes.com
Affected Version
Q213V1 (Firmware: V2395S)
Tested On
Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vendor Status
[27.09.2016] Vulnerability discovered.
[03.10.2016] Vendor contacted.
[04.10.2016] Vendor responds asking more details.
[04.10.2016] Sent details to the vendor.
[06.10.2016] Vendor has released a new firmware version that addresses these issues.
[28.10.2016] Public security advisory released.
PoC
infrapower_idor.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/40644/
[2] https://packetstormsecurity.com/files/139421
[3] https://cxsecurity.com/issue/WLB-2016100263
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/118422
Changelog
[28.10.2016] - Initial release
[31.10.2016] - Added reference [1], [2] and [3]
[02.11.2016] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk