openSIS 4.5 - 5.3 Cross Site Request Forgery Vulnerability

2014.06.29
Credit: Ubani Anthony Balogun
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

openSIS 4.5 - 5.3 Cross Site Request Forgery Vulnerability ========================================================== Author: Ubani Anthony Balogun <ubani () sas upenn edu> Reported: June 26, 2014 Product Description: - -------------------- openSIS, is a free student information system that rivals costly commercial alternatives in looks, functionality, ease of use and administration. Description of Vulnerability: - ----------------------------- openSIS versions 4.5 and 5.3 suffer from a Login Cross Site Request Forgery Vulnerability (Login CSRF) owing to it's failure to secure the login form with CSRF tokens. The vulnerability is futher exarcebated by the fact that a HTTP Get request can be used to perfom login actions, allowing login requests to be forged via urls. System impacted: - ---------------- openSIS versions 4.5 and 5.3 were tested and found to be vulnerable. Impact: - ------- This vulnerability allows a malicious attacker to log a victim into an account other than theirs, and have the victim update the account with their personal information (identity theft), perform actions in the name of the account, or mount other Social Engineering attacks. For further explanation of this vulnerability, please refer to http://www.ethicalhack3r.co.uk/login-cross-site-request-forgery-csrf/ and http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf Mitigating Factors: - ------------------- The vulnerability is mitigated by the fact that the name of the logged in user is displayed on the site pages. Proof of Concept: - ----------------- 1. Install OpenSIS 4.5 or 5.3 and create user login credentials (username and password). 2. Navigate to /index.php?USERNAME=username&PASSWORD=password 3. The opensis system logs you into the account. 4. This vulnerability can also be exploited by crafting and accessing the link from within an email. Patch Advisory: - --------------- This vulnerability can be patched by implementing CSRF tokens on the login form and requiring POST requests for login. Vendor response: - ---------------- Vendor responds issues will not be fixed in versions < 5.3 - -- Ubani Anthony Balogun Information Security and Unix Services University of Pennsylvania School of Arts and Sciences 3600 Market St. Suite 501 Philadelphia, PA 19104 \


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top