openSIS 5.3 Cross Site Request Forgery

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
openSIS 4.5 - 5.3 Cross Site Request Forgery Vulnerability  
==========================================================  
  
Author: Ubani Anthony Balogun <[email protected]>  
Reported: June 26, 2014  
  
Product Description:  
- --------------------  
openSIS, is a free student information system that rivals costly  
commercial alternatives in looks, functionality, ease of use and  
administration.  
  
  
Description of Vulnerability:  
- -----------------------------  
openSIS versions 4.5 and 5.3 suffer from a Login Cross Site Request  
Forgery Vulnerability (Login CSRF) owing to it's failure to secure the  
login form with CSRF tokens.  
The vulnerability is futher exarcebated by the fact that a HTTP Get  
request can be used to perfom login actions, allowing login requests  
to be forged via urls.  
  
  
System impacted:  
- ----------------  
openSIS versions 4.5 and 5.3 were tested and found to be vulnerable.  
  
Impact:  
- -------  
This vulnerability allows a malicious attacker to log a victim into an  
account other than theirs, and have the victim update the account with  
their personal information (identity theft), perform actions in the  
name of the account, or mount other Social Engineering attacks.  
For further explanation of this vulnerability, please refer to  
http://www.ethicalhack3r.co.uk/login-cross-site-request-forgery-csrf/  
and  
http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf  
  
Mitigating Factors:  
- -------------------  
The vulnerability is mitigated by the fact that the name of the logged  
in user is displayed on the site pages.  
  
Proof of Concept:  
- -----------------  
1. Install OpenSIS 4.5 or 5.3 and create user login credentials  
(username and password).  
2. Navigate to /index.php?USERNAME=username&PASSWORD=password  
3. The opensis system logs you into the account.  
4. This vulnerability can also be exploited by crafting and accessing  
the link from within an email.  
  
  
Patch Advisory:  
- ---------------  
This vulnerability can be patched by implementing CSRF tokens on the  
login form and requiring POST requests for login.  
  
Vendor response:  
- ----------------  
Vendor responds issues will not be fixed in versions < 5.3  
  
- --   
Ubani Anthony Balogun  
Information Security and Unix Services  
University of Pennsylvania  
School of Arts and Sciences  
3600 Market St.  
Suite 501  
Philadelphia, PA 19104  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/  
  
iQEcBAEBAgAGBQJTrH78AAoJEKwVbF01qrx/3JcH/A8wcYRWDUkZ7NWWF1cS2Bll  
ZJpTZXbGngGuX2CVeNmQ90kzEVDIfzqPezAvCLrglcRPahtTYPmCzFhF1hbX9FKn  
h5Ju2pcmma0mCCMCk0f+ob9tYm6Yf814y/wktKT0YaDUb+zACGs50y8TbfJYL2Lj  
UWygb4C48GiKCgOgxANDL93QsrpvM1CDRSBmtigeVuj8wsuDSWzb/8UCKB5OKQg3  
ElM0Coqia4Znhye/rFERNqiGPZoz+D9Ajfmm90zZ8HeVsvvlfkh1R95/8L60+AfU  
Yfpj6n3nN5l6NEjWEH7hc0W2BB3nvGvp8EwXwl2kzSQ3xgpMvrZ24mTS/ws3k50=  
=C+t6  
-----END PGP SIGNATURE-----  
  
  
`