Table of Contents

the femtocell provides a web interface on port 80. the web server is wsal.

the default credentials for the operator pages :

there are other credentials (eng/stella;mno/ubipass), but they can not be used

to access the ubiquisys pages, you don't need to be logged in :

  1. go to the home page, to get the the cookie
  2. get a ubiquisys page e.g. /cust/technician_ui_status_zap_status.html
  3. click the same “tab”, it should install the right cookie
  4. the page should display well now, if you are redirect to the home page, go back and re-click the tab

this way it is possible to get/set most of the configuration (stored in the database), even change the password (still without being logged in).

wsal

howto use wsal :

  • wsal uses SHTTPD (Simple HTTPS v1.39 by Sergey Lyubka), with hardcoded CGI
  • HTTP GET does not get the 200/OK response
  • HTTP GET return the plain text from the required file
  • requesting to GET a page not in the index breaks wsal
  • everything is done using HTTP POST. this is how the pages are returned (200/OK)
  • requesting (POST) a page (except login.html) without being logged in, redirects the to index.html
  • to circumvent the login, request (POST) a hidden page. A session cookie will be set (and you will be redirected). use this cookie to request any page
  • requesting (POST) any page outside the catalog does not break wsal

things to do with wsal:

  • try REMOVE, DELETE and PUT requests (shttpd supports them)
  • PUT can be either authorized or not authorized depending on if this is compiled with -DNO_AUTH or not (seems like they compiled with that to reduce binary size by 4kb)
  • URL is removing ../ sequences from the URL before processing
  • possible buffer overflow in put_dir()? assert from source code is missing in binary
    • from what I see they compiled the source with -DNDEBUG which removes all the assert code (shttpd source also mentions that this reduces the binary size around 5kb)
  • large number of sprintf called in embedded CGIs but only in the *_to_html functions, so likely not processing user input at this point
  • before passing a request to a cgi script all HTTP headers are added to the environment. does this allow us to overwrite any existing env variables and if, does it help us?
  • shttpd has support for server side includes, one command for this among others is exec. I'm not sure though if SSI is enabled for any html page or it has to be a special URL that needs to get registered. If this is generally enabled in html files it might be interesting to combine this with a PUT requests that produces a html file.

pages

operator

from operator/web/ :

  • help_contents.html
  • help.html
  • help_index.html
  • login.html
  • owner_network_dhcp_dis.html
  • owner_network_dhcp_en.html
  • owner_password_change.html
  • owner_status_femto_hz_dis.html
  • owner_status_femto_hz_en.html
  • owner_status_ue.html

vendor

from ubiqfs/bin/htdocs/, access then with cust/ in the URL :

  • error_no_db_parameters.html
  • error_no_next_page.html
  • help_contents.html
  • help.html
  • help_index.html
  • index.html
  • login.html
  • mno_ui_diag_reset.html
  • mno_ui_eng_paras_2gsniffprofile.html
  • mno_ui_eng_paras_cellconf.html
  • mno_ui_eng_paras_cellselect.html
  • mno_ui_eng_paras_comch.html
  • mno_ui_eng_paras_dlmmprofile.html
  • mno_ui_eng_paras_gen.html
  • mno_ui_eng_paras_handout.html
  • mno_ui_eng_paras.html
  • mno_ui_eng_paras_lacconf.html
  • mno_ui_eng_paras_mmgmm.html
  • mno_ui_eng_paras_neighgsm.html
  • mno_ui_eng_paras_neighmacro.html
  • mno_ui_eng_paras_neighzap.html
  • mno_ui_eng_paras_rabpar.html
  • mno_ui_eng_paras_rrctimers.html
  • mno_ui_eng_paras_rrmstatus.html
  • mno_ui_eng_paras_sniffprofile.html
  • mno_ui_eng_paras_uetimers.html
  • mno_ui_metrics_perf.html
  • mno_ui_nw_acs.html
  • mno_ui_nw_cn_gw.html
  • mno_ui_nw_ip_timing.html
  • mno_ui_nw_ip_timing_servers_edit.html
  • mno_ui_nw_ip_timing_servers.html
  • mno_ui_nw_psoff_apn.html
  • mno_ui_nw_psoff_dis.html
  • mno_ui_nw_psoff_en.html
  • mno_ui_nw_ran_gw.html
  • mno_ui_nw_status.html
  • mno_ui_rabpar_hsdpa.html
  • mno_ui_rabpar_multi.html
  • mno_ui_rabpar_phych.html
  • mno_ui_rabpar_single.html
  • mno_ui_status_addue_gan.html
  • mno_ui_status_addue_ietf_sip.html
  • mno_ui_status_addue_ims_sip.html
  • mno_ui_status_event_log.html
  • mno_ui_status_sw_status.html
  • mno_ui_status_ue_status_gan.html
  • mno_ui_status_ue_status.html
  • mno_ui_status_ue_status_ietf_sip.html
  • mno_ui_status_ue_status_ims_sip.html
  • mno_ui_status_zap_status.html
  • owner_network_dhcp_dis.html
  • owner_network_dhcp_en.html
  • owner_password_change.html
  • owner_status_femto_hz_dis.html
  • owner_status_femto_hz_en.html
  • owner_status_ue.html
  • services_ui_presence.html
  • technician_ui_diag_reset.html
  • technician_ui_eng_paras_2gsniffprofile.html
  • technician_ui_eng_paras_cellconf.html
  • technician_ui_eng_paras_cellselect.html
  • technician_ui_eng_paras_comch.html
  • technician_ui_eng_paras_dlmmprofile.html
  • technician_ui_eng_paras_gen.html
  • technician_ui_eng_paras_handout.html
  • technician_ui_eng_paras.html
  • technician_ui_eng_paras_lacconf.html
  • technician_ui_eng_paras_mmgmm.html
  • technician_ui_eng_paras_neighgsm.html
  • technician_ui_eng_paras_neighmacro.html
  • technician_ui_eng_paras_neighzap.html
  • technician_ui_eng_paras_rabpar.html
  • technician_ui_eng_paras_rrctimers.html
  • technician_ui_eng_paras_rrmstatus.html
  • technician_ui_eng_paras_sniffprofile.html
  • technician_ui_eng_paras_uetimers.html
  • technician_ui_metrics_perf.html
  • technician_ui_nw_acs.html
  • technician_ui_nw_cn_gw.html
  • technician_ui_nw_ip_timing.html
  • technician_ui_nw_ip_timing_servers_edit.html
  • technician_ui_nw_ip_timing_servers.html
  • technician_ui_nw_psoff_apn.html
  • technician_ui_nw_psoff_dis.html
  • technician_ui_nw_psoff_en.html
  • technician_ui_nw_ran_gw.html
  • technician_ui_nw_status.html
  • technician_ui_rabpar_hsdpa.html
  • technician_ui_rabpar_multi.html
  • technician_ui_rabpar_phych.html
  • technician_ui_rabpar_single.html
  • technician_ui_status_addue_gan.html
  • technician_ui_status_addue_ietf_sip.html
  • technician_ui_status_addue_ims_sip.html
  • technician_ui_status_event_log.html
  • technician_ui_status_sw_status.html
  • technician_ui_status_ue_status_gan.html
  • technician_ui_status_ue_status.html
  • technician_ui_status_ue_status_ietf_sip.html
  • technician_ui_status_ue_status_ims_sip.html
  • technician_ui_status_zap_status.html
html.txt · Last modified: 2011/08/30 15:34 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki