[Google] Admin access to FS KVM Switch
On http://XXX.XXX.XX.XX, there was a login portal over "/login.html" for Google Admins to access FS KVM Switch.
The portal served as single console for multiple network server.
The "/index.html" was not accessible without assigned authenticated cookies.
Due to having default creds, a login was possible as the Admin which redirected to "/index.html", assuming a successful login was made.
The interface showed an iframe within to list devices which was empty.
I stopped my testing at this point because of the latency of the responses was really high, which gave me an indication that further testings with tools might result in server getting throttled.
Timeline -
Reported - 28-07-2024
Triaged - 29-07-2024
Accepted - 30-07-2024 (🎉 Nice catch!)
Fixed - 14-08-2024
Rewarded - 16-08-2024