lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 1 Oct 2010 01:19:54 -0500 (CDT)
From: security curmudgeon <jericho@...rition.org>
To: advisory@...ridge.ch
Cc: bugtraq@...urityfocus.com
Subject: Re: XSRF (CSRF) in Zimplit


Hi HTBridge,

: Vulnerability ID: HTB22605
: Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_zimplit.html
: Vendor: Zimplit Ltd. ( http://www.zimplit.com/ ) 
: Vulnerable Version: 3.0 and Probably Prior Versions
: Vendor Notification: 15 September 2010 
: Vulnerability Type: CSRF (Cross-Site Request Forgery)
: Risk level: Low 
: Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 
: 
: Vulnerability Details:
: The vulnerability exists due to failure in the "zimplit.php" script to properly verify the source of HTTP request.
: 
: Successful exploitation of this vulnerability could result in a 
: compromise of the application, theft of cookie-based authentication 
: credentials, disclosure or modification of sensitive data.
: 
: Attacker can use browser to exploit this vulnerability. The PoC example:
: http://host/zimplit.php?action=load&file=../hello.php
: This PoC leads to the execution of the "hello.php" in the parent folder.

One thing you fail to mention, is that the file that can be called via the 
'file' parameter is limited to ones in the web root. Under most 
circumstances, that considerably limits the attack vectors available. I 
wanted to make this clear since your wording implies there is a privileged 
traversal here, when there isn't.

The real threat here, is that the application is vulnerable to CSRF, and 
an admin user can be tricked into performing other, more serious actions. 
Demonstrating a few of those vectors would be more helpful.

- security curmudgeon

Powered by blists - more mailing lists