perfSONAR - v4.x <= v4.4.5 - Partial Blind CSRF

2022.12.01
us Ryan Moore (US) us
Risk: Medium
Local: Yes
Remote: Yes
CWE: N/A

https://github.com/renmizo/CVE-2022-41413/ Vendor: perfSONAR Link: https://github.com/perfsonar/ Affected Versions: v4.x <= v4.4.5 Vulnerability Type: Partial Blind CSRF Discovered by: Ryan Moore CVE: CVE-2022-41413 Summary A partial blind CSRF vulnerability exists in perfSONAR v4.x <= v4.4.5 within the /perfsonar-graphs/ test results page. Parameters and values can be injected/passed via the URL parameter, forcing the client to connect unknowingly in the background to other sites via transparent XMLHTTPRequests. This partial blind CSRF bypasses the built-in whitelisting function in perfSONAR. This vulnerability was patched in perfSONAR v4.4.6. Proof of Concept Examples Here are two examples of this vulnerability. For further details, review the Technical Overview section below. Example 1: Client browser connects to www.google.com in the background. http://192.168.68.145/perfsonar-graphs/?source=1&dest=2&url=https://www.google.com Example 2: Client browser connects to arbitrary IP and port in the background, passing delete parameter to /api endpoint. http://192.168.68.145/perfsonar-graphs/?source=8.8.8.8&dest=%26action%3Ddelete&url=http://192.168.68.113:4444/api

References:

https://lists.internet2.edu/sympa/arc/perfsonar-user/2022-11/msg00008.html
https://www.perfsonar.net/releasenotes-2022-11-09-4-4-6.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41413


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top