d1str0
commented
3 years ago Here is fine.
Open jimmy0435 opened 3 years ago
d1str0
commented
3 years ago Here is fine.
jimmy0435
commented
3 years ago Authentication is not needed for modifying the name of sensors on MHN. And the attacker can get some extra information about sensors. Also, the CSRF validation is not working as well. The request can be performed even X-CSRFToken is removed in the HTTP header.
Please refer to the code here: https://github.com/pwnlandia/mhn/blob/master/server/mhn/api/views.py#L59
The UUID is needed for this vulnerability. We also found a place to get the sensor id without authentication. We believe not only JSON, but XML also could leak the same data as well. Please refer to the code here: https://github.com/pwnlandia/mhn/blob/025668145069f42e57b127e863028be4a33e9efe/server/mhn/__init__.py#L76
I'm not sure it's appropriate to post detailed information here directly. I've tried to send an email to modern-honey-network@googlegroups.com, but it seems is a public forum. So I delete the thread on the forum. Please let me know which way is better to provide the detailed information, thanks.