XSRF (CSRF) in Zimplit Sep 29 2010 01:55PM
advisory htbridge ch (1 replies)
Re: XSRF (CSRF) in Zimplit Oct 01 2010 06:19AM
security curmudgeon (jericho attrition org)

Hi HTBridge,

: Vulnerability ID: HTB22605
: Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_zimplit.html
: Vendor: Zimplit Ltd. ( http://www.zimplit.com/ )
: Vulnerable Version: 3.0 and Probably Prior Versions
: Vendor Notification: 15 September 2010
: Vulnerability Type: CSRF (Cross-Site Request Forgery)
: Risk level: Low
: Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
: Vulnerability Details:
: The vulnerability exists due to failure in the "zimplit.php" script to properly verify the source of HTTP request.
: Successful exploitation of this vulnerability could result in a
: compromise of the application, theft of cookie-based authentication
: credentials, disclosure or modification of sensitive data.
: Attacker can use browser to exploit this vulnerability. The PoC example:
: http://host/zimplit.php?action=load&file=../hello.php
: This PoC leads to the execution of the "hello.php" in the parent folder.

One thing you fail to mention, is that the file that can be called via the
'file' parameter is limited to ones in the web root. Under most
circumstances, that considerably limits the attack vectors available. I
wanted to make this clear since your wording implies there is a privileged
traversal here, when there isn't.

The real threat here, is that the application is vulnerable to CSRF, and
an admin user can be tricked into performing other, more serious actions.
Demonstrating a few of those vectors would be more helpful.

- security curmudgeon

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus