CVE-2012-4893 - Cross-Site Request Forgery (CSRF)

Severity

68%

Complexity

86%

Confidentiality

106%

Multiple cross-site request forgery (CSRF) vulnerabilities in file/show.cgi in Webmin 1.590 and earlier allow remote attackers to hijack the authentication of privileged users for requests that (1) read files or execute (2) tar, (3) zip, or (4) gzip commands, a different issue than CVE-2012-2982.

CVSS 2.0 Base Score 6.8. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P).

Demo Examples

Cross-Site Request Forgery (CSRF)

CWE-352

This example PHP code attempts to secure the form submission process by validating that the user submitting the form has a valid session. A CSRF attack would not be prevented by this countermeasure because the attacker forges a request through the user's web browser in which a valid session already exists.

The following HTML is intended to allow a user to update a profile.


               </form>

profile.php contains the following code.


               }//if the session is registered to a valid user then allow update
                     exit;// Redirect user to login page
// The user session is valid, so process the request// and update the information
                     echo "Your profile has been successfully updated.";// read in the data from $POST and send an update// to the database

This code may look protected since it checks for a valid session. However, CSRF attacks can be staged from virtually any tag or HTML construct, including image tags, links, embed or object tags, or other attributes that load background images.

The attacker can then host code that will silently change the username and email address of any user that visits the page while remaining logged in to the target web application. The code might be an innocent-looking web page such as:


               </form>form.submit();// send to profile.php

Notice how the form contains hidden fields, so when it is loaded into the browser, the user will not notice it. Because SendAttack() is defined in the body's onload attribute, it will be automatically called when the victim loads the web page.

Assuming that the user is already logged in to victim.example.com, profile.php will see that a valid user session has been established, then update the email address to the attacker's own address. At this stage, the user's identity has been compromised, and messages sent through this profile could be sent to the attacker's address.

Overview

First reported 12 years ago

2012-09-11 19:55:00

Last updated 12 years ago

2012-09-12 14:30:00

Affected Software

Gentoo webmin 1.140.ebuild

1.140

Gentoo webmin 1.150.ebuild

1.150

Gentoo webmin 1.160.ebuild

1.160

Gentoo webmin 1.170

1.170

Gentoo webmin 1.180

1.180

Gentoo webmin 1.200

1.200

Gentoo webmin 1.210

1.210

Gentoo webmin 1.220

1.220

Gentoo webmin 1.230

1.230

Gentoo webmin 1.240

1.240

Gentoo webmin 1.260

1.260

Gentoo webmin 1.270

1.270

Gentoo webmin 1.280

1.280

Gentoo webmin 1.290

1.290

Gentoo webmin 1.300

1.300

Gentoo webmin 1.310

1.310

Gentoo webmin 1.320

1.320

Gentoo webmin 1.330

1.330

Gentoo webmin 1.340

1.340

Gentoo webmin 1.370

1.370

Gentoo webmin 1.380

1.380

Gentoo webmin 1.390

1.390

Gentoo webmin 1.400

1.400

Gentoo webmin 1.410

1.410

Gentoo webmin 1.420

1.420

Gentoo webmin 1.430

1.430

Gentoo webmin 1.440

1.440

Gentoo webmin 1.450

1.450

Gentoo webmin 1.470

1.470

Gentoo webmin 1.480

1.480

Gentoo webmin 1.500

1.500

Gentoo webmin 1.510

1.510

Gentoo webmin 1.520

1.520

Gentoo webmin 1.530

1.530

Gentoo webmin 1.550

1.550

Gentoo webmin 1.560

1.560

Gentoo webmin 1.570

1.570

Gentoo webmin 1.580

1.580

Gentoo webmin

References

http://americaninfosec.com/research/index.html

http://www.americaninfosec.com/research/dossiers/AISG-12-001.pdf

VU#788478

US Government Resource