[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request: Advanced Electron Forums (AEF) 1.0.9 <= Cross Site Request Forgery (
From: Josh Bressers <bressers () redhat ! com>
Date: 2011-09-30 14:38:33
Message-ID: ad8b91d5-0aec-4f4d-9fef-b31d655d4072 () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]
Please use CVE-2011-3582
Thanks.
--
JB
----- Original Message -----
> Advanced Electron Forums (AEF) 1.0.9 <= Cross Site Request Forgery
> (CSRF) Vulnerability
>
>
>
> 1. OVERVIEW
>
> The Advanced Electron Forums (AEF) 1.0.9 <= versions are vulnerable
> to Cross Site Request Forgery (CSRF).
>
>
> 2. BACKGROUND
>
> AEF has a very simple and easy to use Administration Panel and
> installing this software is a piece of cake! You can install new
> themes, customize themes the way you want. The User Control Panel has
> a simple yet beautiful interface where users can set their
> preferences
> for the board.
>
>
> 3. VULNERABILITY DESCRIPTION
>
> Advanced Electron Forums (AEF) 1.0.9 <= versions contain a flaw that
> allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The
> flaw exists because the application does not require multiple steps
> or
> explicit confirmation for sensitive transactions for majority of
> administrator functions such as adding new user, assigning user to
> administrative privilege. By using a crafted URL, an attacker may
> trick the victim into visiting to his web page to take advantage of
> the trust relationship between the authenticated victim and the
> application. Such an attack could trick the victim into executing
> arbitrary commands in the context of their session with the
> application, without further prompting or verification.
>
>
> 4. VERSIONS AFFECTED
>
> 1.0.9 <=
>
>
> 5. PROOF-OF-CONCEPT/EXPLOIT
>
> The following request ecalates a normal user to an administrator.
>
> [REQUEST]
> POST /aef/index.php?act=editprofile&uid=2 HTTP/1.1
>
> username=tester&email=tester%40yehg.net&u_member_group=1&realname=&title=&location=&gender=1&privatetext=&icq=&yim=&msn=&aim=&www=&sig=&editprofile=Edit+Profile
> [/REQUEST]
>
>
> 6. SOLUTION
>
> Partial fix is available.
> The vendor released a single patch for the provided vulnerable
> EditProfile functionality.
> http://www.anelectron.com/downloads/index.php?act=downloadattach&atid=59
>
>
> 7. VENDOR
>
> Electron Inc.
> http://www.anelectron.com/
>
>
> 8. CREDIT
>
> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> Ethical Hacker Group, Myanmar.
>
>
> 9. DISCLOSURE TIME-LINE
>
> 2010-12-14: notified vendor through email, website contact form
> submission
> 2011-05-17: vendor released aef 1.0.9 without the CSRF fix
> 2011-09-06: vendor released separate patch about the CSRF fix
> 2011-09-26: vulnerability disclosed
>
>
> 10. REFERENCES
>
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/[aef-1.x]_cross_site_request_forgery
> CSRF Wiki:
> https://secure.wikimedia.org/wikipedia/en/wiki/Cross-site_request_forgery
>
>
>
> #yehg [2011-09-26]
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic