oss-sec mailing list archives
Re: CVE-2013-2097: zPanel themes remote command execution as root
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Thu, 16 May 2013 16:38:56 -0400
On 05/16/2013 02:11 PM, Kurt Seifried wrote:
Ok and "joepie91" on reddit posted: http://www.reddit.com/r/netsec/comments/1ee0eg/zpanel_support_team_calls_forum_user_fucken/c9zujzt ====== It's a pretty basic (and more annoying than harmful) CSRF - basically, http://zpanel.whatever.com/?logout=anything will log out the user from a panel, no matter where it's called from. There's no logout key, and no referer checking. Insert <img src="http://zpanel.whatever.com/?logout=anything"> on any site and anyone that visits the page will have their zpanel.whatever.com session killed instantly. ====== I can't verify this, but even if true it appears that there is no real trust boundary violation (user clicks the link, they get logged out, or JavaScript is used to trigger it, whatever). Unless someone can show otherwise not assigning a CVE for this issue.
Kurt: just to be clear, joepie91's attack didn't require javascript or link-clicking or anything of the kind, because it's an img src -- as long as your browser loads images automatically from non-origin hosts, it will trigger this behavior. That said, I agree with Kurt's general assessment here: this kind of DoS is the nicest possible thing an attacker can do with a CSRF. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2013-2097: zPanel themes remote command execution as root Kurt Seifried (May 15)
- Re: CVE-2013-2097: zPanel themes remote command execution as root Kurt Seifried (May 16)
- Re: CVE-2013-2097: zPanel themes remote command execution as root Daniel Kahn Gillmor (May 16)
- Re: CVE-2013-2097: zPanel themes remote command execution as root Kurt Seifried (May 16)