Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun,  8 Feb 2015 20:06:28 -0500 (EST)
Subject: Re: CVE-Request -- eFront v. build 18021 (Community Edition) -- Multiple CSRF vulnerabilities

Hash: SHA1

> I found multiple CSRF vulnerabilities ...

Use CVE-2015-1559 for all of the CSRF vulnerabilities.

> The components being used for creating the auto-login token are the
> following informations:
> - a salt
> - the accounts creation date
> - the username
> The salt isn't generated dynamically during the installation. On a common
> eFront installation without any changes by the administrator, it has the
> value cDWQR#$Rcxsc. The admin accounts creation date has the standard value
> 1365149958.
> As the standard administrators accountname is "admin", the auto-login token
> for the administrators account of eFront has always the value
> eb514ea3c45d74a1218e207fb4b345b1 if the precondition is fulfilled

This token-creation approach is arguably an undesirable behavior, but
it does not have a CVE ID. The existence of the
eb514ea3c45d74a1218e207fb4b345b1 value does not provide access unless
an autologin=1 request is sent within an administrative session. This
issue is relevant mainly when a CSRF vulnerability exists. says:

  Admin->Maintenance->Autologin. This new tab allows to select the
  users that may autologin to the system via a simple link. Useful for
  guest users but there are many others uses as well.

We do not think that intentionally setting up Autologin for an
administrator is a common or plausible use case. If Autologin had been
enabled for any other user account, the attacker would apparently need
to know both the username and the account's creation date. Better
salting would be an opportunity for security improvement. Accounts
that would realistically be configured for Autologin are probably not
high-value accounts, and the salt choice could be a
security-versus-complexity tradeoff.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.