BugTraq
EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection Apr 27 2016 03:12PM
Securify B.V. (lists securify nl)
------------------------------------------------------------------------

EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection
------------------------------------------------------------------------

Han Sahin, November 2014

------------------------------------------------------------------------

Abstract
------------------------------------------------------------------------

It was discovered that EMC M&R (Watch4net) does not protect against
Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack can
compromise end user data and may allow an attacker to perform an account
hijack. If the targeted end user is the administrator account, this
results in a full compromise of Watch4net.

------------------------------------------------------------------------

Affected versions
------------------------------------------------------------------------

Versions of EMC ViPR SRM prior to version 3.7 are affected by these
vulnerabilities.

------------------------------------------------------------------------

See also
------------------------------------------------------------------------

- http://seclists.org/bugtraq/2016/Apr/att-106/ESA-2016-039.txt
- CVE-2016-0891

------------------------------------------------------------------------

Fix
------------------------------------------------------------------------

EMC released 34247_ViPR-SRM to fix these vulnerabilities. Please
note that this fix is only available for registered EMC Online Support
customers.

------------------------------------------------------------------------

Details
------------------------------------------------------------------------

https://www.securify.nl/advisory/SFY20141109/emc_m_r__watch4net__lacks_c
ross_site_request_forgery_protection.html

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus