Re: [oss-security] CVE Request: Advanced Electron Forums (AEF) 1.0.9 <= Cross Site Request Forgery (CSRF) Vulnerability

From: Josh Bressers <bressers_at_nospam>
Date: Fri Sep 30 2011 - 14:38:33 GMT
To: oss-security@lists.openwall.com

Please use CVE-2011-3582

Thanks.

-- JB ----- Original Message ----- > Advanced Electron Forums (AEF) 1.0.9 <= Cross Site Request Forgery > (CSRF) Vulnerability > > > > 1. OVERVIEW > > The Advanced Electron Forums (AEF) Â 1.0.9 <= versions are vulnerable > to Cross Site Request Forgery (CSRF). > > > 2. BACKGROUND > > AEF has a very simple and easy to use Administration Panel and > installing this software is a piece of cake! You can install new > themes, customize themes the way you want. The User Control Panel has > a simple yet beautiful interface where users can set their > preferences > for the board. > > > 3. VULNERABILITY DESCRIPTION > > Advanced Electron Forums (AEF) 1.0.9 <= Â versions contain a flaw that > allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The > flaw exists because the application does not require multiple steps > or > explicit confirmation for sensitive transactions for majority of > administrator functions such as adding new user, assigning user to > administrative privilege. By using a crafted URL, an attacker may > trick the victim into visiting to his web page to take advantage of > the trust relationship between the authenticated victim and the > application. Such an attack could trick the victim into executing > arbitrary commands in the context of their session with the > application, without further prompting or verification. > > > 4. VERSIONS AFFECTED > > 1.0.9 <= > > > 5. PROOF-OF-CONCEPT/EXPLOIT > > The following request ecalates a normal user to an administrator. > > [REQUEST] > POST /aef/index.php?act=editprofile&uid=2 HTTP/1.1 > > username=tester&email=tester%40yehg.net&u_member_group=1&realname=&title=&location=&gender=1&privatetext=&icq=&yim=&msn=&aim=&www=&sig=&editprofile=Edit+Profile > [/REQUEST] > > > 6. SOLUTION > > Partial fix is available. > The vendor released a single patch for the provided vulnerable > EditProfile functionality. > http://www.anelectron.com/downloads/index.php?act=downloadattach&atid=59 > > > 7. VENDOR > > Electron Inc. > http://www.anelectron.com/ > > > 8. CREDIT > > This vulnerability was discovered by Aung Khant, http://yehg.net, YGN > Ethical Hacker Group, Myanmar. > > > 9. DISCLOSURE TIME-LINE > > 2010-12-14: notified vendor through email, website contact form > submission > 2011-05-17: vendor released aef 1.0.9 without the CSRF fix > 2011-09-06: vendor released separate patch about the CSRF fix > 2011-09-26: vulnerability disclosed > > > 10. REFERENCES > > Original Advisory URL: > http://yehg.net/lab/pr0js/advisories/[aef-1.x]_cross_site_request_forgery > CSRF Wiki: > https://secure.wikimedia.org/wikipedia/en/wiki/Cross-site_request_forgery > > > > #yehg [2011-09-26] >

This message: [ Message body ]
Next message: Josh Bressers: "Re: [oss-security] CVE requests: Typo3"
Previous message: Josh Bressers: "Re: [oss-security] CVE request: heap-based buffer overflow in ldns"
In reply to: YGN Ethical Hacker Group: "[oss-security] CVE Request: Advanced Electron Forums (AEF) 1.0.9 <= Cross Site Request Forgery (CSRF) Vulnerability"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]