Skip to main content

Posts

Showing posts from February 15, 2018

Cross Site Request Forgery- Front Accounting ERP 2.4.3 - CVE-2018-7176

Cross Site Request Forgery- Front Accounting ERP 2.4.3

By- Samrat Das
Hi Readers,
Recently while performing some open source security assessment, I came across an ERP Application- Front Accounting . Curious to explore its functionalities, I set up a local copy and started playing around to find security vulnerabilities’.
Title of the Vulnerability:Cross Site Request Forgery. Vulnerability Class: Remote Code Execution/ Account takeover Technical Details & Description: The application source code is coded in a way which allows malicious crafted HTML page to be executed directly without any anti csrf countermeasures. CVE ID allocated:CVE-2018-7176 Product & Service Introduction: Front Accounting 2.4.3 Steps to Re-Produce – 1.Visit the application 2.Visit the User Permissions Page. 3.Goto add user, and create a csrf crafted exploit for the same , upon hosting it on a server and sending the link to click by victim, it gets exploited. Exploitation Technique: A attacker can perform applica…