Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 3 Feb 2011 11:02:10 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE Request: Zikula CMS 1.2.4 <= Cross Site
 Request Forgery (CSRF) Vulnerability

Please use CVE-2011-0535.

Thanks.

-- 
    JB


----- Original Message -----
> =====================================================================
> Zikula CMS 1.2.4 <= Cross Site Request Forgery (CSRF) Vulnerability
> =====================================================================
> 
> 
> 1. OVERVIEW
> 
> The Zikula 1.2.4 and lower versions were vulnerable to Cross Site
> Request Forgery (CSRF).
> 
> 
> 2. BACKGROUND
> 
> Zikula is a Web Application Toolkit, which allows you to run
> impressive websites and build powerful online applications. Zikula has
> received praise for many things, but we belive the highlights are ease
> of use, quick and easy development, security and performance and
> lastly flexibility.
> 
> 
> 3. VULNERABILITY DESCRIPTION
> 
> Zikula CMS 1.2.4 and lower versions contain a flaw that allows a
> remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw
> exists because the application does not require multiple steps or
> explicit confirmation for sensitive transactions for majority of
> administrator functions such as adding new user, assigning user to
> administrative privilege. By using a crafted URL, an attacker may
> trick the victim into visiting to his web page to take advantage of
> the trust relationship between the authenticated victim and the
> application. Such an attack could trick the victim into executing
> arbitrary commands in the context of their session with the
> application, without further prompting or verification.
> 
> 
> 4. VERSIONS AFFECTED
> 
> 1.2.4 <=
> 
> 
> 5. PROOF-OF-CONCEPT/EXPLOIT
> 
> The following request escalates a normal user to an administrator.
> 
> [REQUEST]
> POST
> /zikula/index.php?module=users&type=admin&func=processusers&op=edit
> HTTP/1.1
> 
> authid=&userid=3&do=yes&access_permissions%5B%5D=2&access_permissions%5B%5D=1&uname=tester&email=tester%40yehg.net&pass=&vpass=&activated=1&theme=&submit=
> [/REQUEST]
> 
> 
> 6. SOLUTION
> 
> Upgrade to Zikula 1.2.5 or higher
> 
> 
> 7. VENDOR
> 
> Zikula Foundation
> http://zikula.org/
> 
> 
> 8. CREDIT
> 
> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> Ethical Hacker Group, Myanmar.
> 
> 
> 9. DISCLOSURE TIME-LINE
> 
> 2010-12-24: notified vendor
> 2011-01-25: vendor released fix
> 2011-02-01: vulnerability disclosed
> 
> 
> 10. REFERENCES
> 
> Original Advisory URL: http://yehg.net/lab/pr0js/advisories/
> Vendor Released Info:
> http://community.zikula.org/index.php?module=News&func=display&sid=3041&title=zikula-1.2.5-released
> Zikula 1.2.5 Changlog:
> http://code.zikula.org/core12/browser/tags/Zikula-1.2.5/src/docs/CHANGELOG
> CSRF Wiki:
> https://secure.wikimedia.org/wikipedia/en/wiki/Cross-site_request_forgery
> 
> 
> #yehg [2011-02-01]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ