Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 16 May 2013 16:38:56 -0400
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: oss-security@...ts.openwall.com
CC: Kurt Seifried <kseifried@...hat.com>
Subject: Re: CVE-2013-2097: zPanel themes remote command execution
 as root

On 05/16/2013 02:11 PM, Kurt Seifried wrote:
> Ok and "joepie91" on reddit posted:
> 
> http://www.reddit.com/r/netsec/comments/1ee0eg/zpanel_support_team_calls_forum_user_fucken/c9zujzt
> 
> ======
> It's a pretty basic (and more annoying than harmful) CSRF - basically,
> http://zpanel.whatever.com/?logout=anything will log out the user from
> a panel, no matter where it's called from. There's no logout key, and
> no referer checking.
> 
> Insert <img src="http://zpanel.whatever.com/?logout=anything"> on any
> site and anyone that visits the page will have their
> zpanel.whatever.com session killed instantly.
> ======
> 
> I can't verify this, but even if true it appears that there is no real
> trust boundary violation (user clicks the link, they get logged out,
> or JavaScript is used to trigger it, whatever). Unless someone can
> show otherwise not assigning a CVE for this issue.

Kurt: just to be clear, joepie91's attack didn't require javascript or
link-clicking or anything of the kind, because it's an img src -- as
long as your browser loads images automatically from non-origin hosts,
it will trigger this behavior.

That said, I agree with Kurt's general assessment here: this kind of DoS
is the nicest possible thing an attacker can do with a CSRF.

	--dkg


Download attachment "signature.asc" of type "application/pgp-signature" (1028 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.