来源

关联漏洞

介绍

**Issue details**

Camera model PTC310UV2 running firmware version 0.1.0000.59. The vulnerability is found in the web interface that is used to access the camera. The vulnerability was found during a penetration test, thus, certain information in the PoC screenshots have been redacted.

**Description**

This disclosure contains two vulnerabilities that has been identified in the AVer firmware login web interface. It should be noted that I am not very familiar with any of your products, meaning that some terms might not be used correctly. 

This finding is a bit more comprehensive compared to CVE-2025-45619, though, it mainly relates to client-side authentication. 
Inspecting the source code of the web application reveals the authentication mechanism that is being applied. When the authentication mechanism is performed on the frontend, it means that the application has to pull credentials from somewhere, in this case an endpoint, and into the frontend. In this case, the function displayed below pulls credentials from the endpoint identified in the first finding to the frontend.
 
<img width="1000" alt="bilde" src="https://github.com/user-attachments/assets/e84a1476-b7e0-4c0b-945b-07d1ed677e62" />

The ‘SendAction(“Get=acc”, function(data)’ line makes a request to the first finding to pull the application which returns the credentials in a “username&password&” format. Next, the function parses the returned string and sets the username to “auth_user” and the password to “auth_pwd”. Finally, the function compares the values to those supplied by the user (name and pwd), and continues the login flow depending on whether the credentials are correct or not.
The application makes the call for credentials whether the credentials are valid or not. This means that if an attacker monitors the network traffic in their browser, the username or password will be exposed – unencrypted. This process is displayed in the figures below.

<img width="1000" alt="bilde" src="https://github.com/user-attachments/assets/ff3b001c-4ee8-4d98-ae6e-c357fff0b031" />  

<img width="1000" alt="bilde" src="https://github.com/user-attachments/assets/0c0db847-34c2-4281-ae94-9de625fc301a" />

Storing or transferring passwords in the frontend is in violation with best practice; instead, authentication should be handled securely using token-based methods (e.g., JWT, OAuth).

文件快照

 [4.0K]  /data/pocs/0cce4989d208e8d2cf4dc1c8f5dc462cf112ae12
└── [2.3K]  README.md

0 directories, 1 file

备注