Re: CVE-2013-2097: zPanel themes remote command execution as root

[Daniel Kahn Gillmor <dkg () fifthhorseman net>]

On 05/16/2013 02:11 PM, Kurt Seifried wrote:
> Ok and "joepie91" on reddit posted:
>
> http://www.reddit.com/r/netsec/comments/1ee0eg/zpanel_support_team_calls_forum_user_fucken/c9zujzt
>
> ======
> It's a pretty basic (and more annoying than harmful) CSRF - basically,
> http://zpanel.whatever.com/?logout=anything will log out the user from
> a panel, no matter where it's called from. There's no logout key, and
> no referer checking.
>
> Insert <img src="http://zpanel.whatever.com/?logout=anything";> on any
> site and anyone that visits the page will have their
> zpanel.whatever.com session killed instantly.
> ======
>
> I can't verify this, but even if true it appears that there is no real
> trust boundary violation (user clicks the link, they get logged out,
> or JavaScript is used to trigger it, whatever). Unless someone can
> show otherwise not assigning a CVE for this issue.

Kurt: just to be clear, joepie91's attack didn't require javascript or
link-clicking or anything of the kind, because it's an img src -- as
long as your browser loads images automatically from non-origin hosts,
it will trigger this behavior.

That said, I agree with Kurt's general assessment here: this kind of DoS
is the nicest possible thing an attacker can do with a CSRF.

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature