[<prev] [next>] [day] [month] [year] [list]
Message-ID: <53AC7EFC.7000507@sas.upenn.edu>
Date: Thu, 26 Jun 2014 16:13:48 -0400
From: Ubani Balogun <ubani@....upenn.edu>
To: fulldisclosure@...lists.org
Cc: "Justin C. Klein Keane" <jukeane@....upenn.edu>
Subject: [FD] openSIS 4.5 - 5.3 Cross Site Request Forgery Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
openSIS 4.5 - 5.3 Cross Site Request Forgery Vulnerability
==========================================================
Author: Ubani Anthony Balogun <ubani@....upenn.edu>
Reported: June 26, 2014
Product Description:
- --------------------
openSIS, is a free student information system that rivals costly
commercial alternatives in looks, functionality, ease of use and
administration.
Description of Vulnerability:
- -----------------------------
openSIS versions 4.5 and 5.3 suffer from a Login Cross Site Request
Forgery Vulnerability (Login CSRF) owing to it's failure to secure the
login form with CSRF tokens.
The vulnerability is futher exarcebated by the fact that a HTTP Get
request can be used to perfom login actions, allowing login requests
to be forged via urls.
System impacted:
- ----------------
openSIS versions 4.5 and 5.3 were tested and found to be vulnerable.
Impact:
- -------
This vulnerability allows a malicious attacker to log a victim into an
account other than theirs, and have the victim update the account with
their personal information (identity theft), perform actions in the
name of the account, or mount other Social Engineering attacks.
For further explanation of this vulnerability, please refer to
http://www.ethicalhack3r.co.uk/login-cross-site-request-forgery-csrf/
and
http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf
Mitigating Factors:
- -------------------
The vulnerability is mitigated by the fact that the name of the logged
in user is displayed on the site pages.
Proof of Concept:
- -----------------
1. Install OpenSIS 4.5 or 5.3 and create user login credentials
(username and password).
2. Navigate to /index.php?USERNAME=username&PASSWORD=password
3. The opensis system logs you into the account.
4. This vulnerability can also be exploited by crafting and accessing
the link from within an email.
Patch Advisory:
- ---------------
This vulnerability can be patched by implementing CSRF tokens on the
login form and requiring POST requests for login.
Vendor response:
- ----------------
Vendor responds issues will not be fixed in versions < 5.3
- --
Ubani Anthony Balogun
Information Security and Unix Services
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Suite 501
Philadelphia, PA 19104
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTrH78AAoJEKwVbF01qrx/3JcH/A8wcYRWDUkZ7NWWF1cS2Bll
ZJpTZXbGngGuX2CVeNmQ90kzEVDIfzqPezAvCLrglcRPahtTYPmCzFhF1hbX9FKn
h5Ju2pcmma0mCCMCk0f+ob9tYm6Yf814y/wktKT0YaDUb+zACGs50y8TbfJYL2Lj
UWygb4C48GiKCgOgxANDL93QsrpvM1CDRSBmtigeVuj8wsuDSWzb/8UCKB5OKQg3
ElM0Coqia4Znhye/rFERNqiGPZoz+D9Ajfmm90zZ8HeVsvvlfkh1R95/8L60+AfU
Yfpj6n3nN5l6NEjWEH7hc0W2BB3nvGvp8EwXwl2kzSQ3xgpMvrZ24mTS/ws3k50=
=C+t6
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists