| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CABTCCWJ__0oG1pyRhmhd5bBGc1SkF=7r0z8j_T8qkzs-pX+TeQ@mail.gmail.com> Date: Mon, 24 Oct 2016 08:49:34 +0200 From: mohamed sayed <eng.mohamed8860@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Security Vulnerability : Cisco web site CSRF in change password lead to full account take over Dear Team , Hope this email finds you well , Please be informed that i found a Major Security vulnerability in the Main Cisco Web Site https://www.cisco.com/ *Introduction* The vulnerability allows a remote hacker to force Victim`s browser to send reset password for their accounts and then the Hacker will be able to take the ownership of this account. ---------------------- *Description and Steps To reproduce the issue * 1-Go to Main Cisco web site and create a new Account 2-Click on forget password and then enter your email 3-An email address will be sent to your Inbox...click the link to reset your password 4-After capturing the request (attached) found that it was Sent with a session token to open the Web page but with the Confirmation - Sending Email , this session Token didn`t sent plus there is no Authorization code or anti forgery tokens ! *this lead to CSRF Vulnerability in the back end side * 5-By writing very simple POC script to simulate this request ...the hacker will be able to change password of the registered/Loggedin victims in Cisco Web application. and by knowing his email he will be able to take his account easily ! ------------------------ *Mitigation* i`m suggesting the following solution to solve this issue : 1-In *post* reset password action : the request should contains the Session token or authorization code and the back end side should validate that this session is valid 2-Anti Forgery token should be added to the request parameters . ------------------- Attached Screen shots and Simple POC (CISCO_ACCOUNT_OWNERSHIPT_CSRF.html) to represent the issue. if there is any thing not clear , please let me know Looking forward to read from you soon :) Regards View attachment "CISCO_ACCOUNT_OWNERSHIP_CSRF (1).html" of type "text/html" (380 bytes) Download attachment "reset_password_1.jpg" of type "image/jpeg" (376642 bytes) Download attachment "reset_password_2.jpg" of type "image/jpeg" (417231 bytes) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists