1 (edited by albertolima 02/21/2018 03:20:48 am)

Topic: Security Vulnerability Reported v2.4.3 CSRF

Hi all,
Just saw this vulnerability announced on the US National Vulnerability Database.
https://nvd.nist.gov/vuln/detail/CVE-2018-7176

It says:
Cross Site Request Forgery- Front Accounting ERP 2.4.3
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).

Do we have any security expert in the forum that could look into this?

CVE Dictionary Entry: CVE-2018-7176
Original release date: 02/15/2018
Last revised: 02/18/2018
Source: US-CERT/NIST

This vulnerability is currently awaiting analysis.
CVE-2018-7176 Detail: AWAITING ANALYSIS

Re: Security Vulnerability Reported v2.4.3 CSRF

There was a CSRF case for a while in FA v2.3.12 stated in my post then.

The said file admin/users.php was last modified on 2015-05-10.

The Exploit form when submitted will return the following:

{
    "id":"0"
   ,"js":[
    {
    "n":"up"
   ,"t":"_page_body"
   ,"why":"_page_body"
   ,"data":"<br><br><form method='post' action='\/frontaccounting\/admin\/users.php?' name='loginform'>\n<center><table class='login' cellpadding='2' cellspacing='0'>\n<tr>\n<td align='center' colspan=2><a target='_blank' href='http:\/\/frontaccounting.com'><img src='..\/themes\/default\/images\/logo_frontaccounting.png' alt='FrontAccounting' height='50' onload='fixPNG(this)' border='0' ><\/a><\/td>\n<\/tr>\n<tr><td colspan=2 class='tableheader'>Version 2.4.3   Build 04.02.2018 - Login<\/td><\/tr>\n<tr><td class='label'>User name<\/td><td><input  type=\"text\" name=\"user_name_entry_field\" size=\"20\" maxlength=\"30\" value=\"\"><\/td>\n<\/tr>\n<tr><td class='label'>Password:<\/td><td ><input type='password' name='password' size=20 maxlength=20 value='' ><\/td>\n<\/tr>\n<tr><td>Company<\/td><td><select name='company_login_name'>\n<option value=0 selected>Default24 Company<\/option><option value=1 >Training24 Co<\/option><option value=2 >South Africa Company<\/option><\/select>\n<\/td><\/tr><tr>\n<td colspan=2 align='center' id='log_msg'>Please login here<\/td>\n<\/tr>\n<\/table><\/center>\n<br><input type='hidden' id=ui_mode name='ui_mode' value='' >\n<center><input type='submit' value='&nbsp;&nbsp;Login -->&nbsp;&nbsp;' name='SubmitUser' onclick='set_fullmode();' ><\/center>\n<input type='hidden' name='show_inactive' value=''><input type='hidden' name='user_id' value='Newadmin'><input type='hidden' name='real_name' value='New Admin'><input type='hidden' name='phone' value=''><input type='hidden' name='email' value=''><input type='hidden' name='role_id' value='8'><input type='hidden' name='language' value='C'><input type='hidden' name='pos' value='1'><input type='hidden' name='print_profile' value=''><input type='hidden' name='rep_popup' value='1'><input type='hidden' name='ADD_ITEM' value='Add new'><input type='hidden' name='_focus' value='user_id'><input type='hidden' name='_modified' value='0'><input type='hidden' name='_confirmed' value=''><input type='hidden' name='_token' value='Ta6aiT2xqlL2vg8u9aAvagxx'><input type='hidden' name='_random' value='757897.6552143205\r\n'><br><input type=\"hidden\" name=\"_focus\" value=\"user_id\"><input type=\"hidden\" name=\"_modified\" value=\"0\"><input type=\"hidden\" name=\"_confirmed\" value=\"\"><input type=\"hidden\" name=\"_token\" value=\"A83xncEdy_cwjfrIEHd03wxx\"><\/form>\n<script language='JavaScript' type='text\/javascript'>\n    \/\/<![CDATA[\n            <!--\n            document.forms[0].user_name_entry_field.select();\n            document.forms[0].user_name_entry_field.focus();\n            \/\/-->\n    \/\/]]>\n    <\/script>"
    }
   ,{
    "n":"js"
   ,"why":true
   ,"data":"document.forms[0].password.focus();"
   }
   ]
   ,"text":""
}

When the exploit form was submitted after having logged in, the following page is output:

{
    "id":"0"
   ,"js":[
    {
    "n":"up"
   ,"t":"_page_body"
   ,"why":"_page_body"
   ,"data":"<form method='post' action='\/frontaccounting\/admin\/users.php' >\n<center><table class='tablestyle' cellpadding='2' cellspacing='0'>\n<tr>\n<td class='tableheader' >User login<\/td>\n<td class='tableheader' >Full Name<\/td>\n<td class='tableheader' >Phone<\/td>\n<td class='tableheader' >E-mail<\/td>\n<td class='tableheader' >Last Visit<\/td>\n<td class='tableheader' >Access Level<\/td>\n<td class='tableheader' ><\/td>\n<td class='tableheader' ><\/td>\n<\/tr>\n<tr class='evenrow'>\n<td >admin<\/td>\n<td >Administrator<\/td>\n<td ><\/td>\n<td ><a href='mailto:adm@example.com'>adm@example.com<\/a><\/td>\n<td nowrap>02\/21\/2018<\/td>\n<td >System Administrator<\/td>\n<td align='center'><button type='submit' class='editbutton' name='Edit1' value='1' title='Edit' ><img src='..\/themes\/default\/images\/edit.gif' style='vertical-align:middle;width:12px;height:12px;border:0;' >\n<\/button>\n<\/td><td ><\/td>\n<\/tr>\n<tr><td colspan=8><div style='float:left;'><input type='checkbox' name='show_inactive' value='1' onclick='JsHttpRequest.request(\"_show_inactive_update\", this.form);' >\nShow also Inactive<\/div><div style='float:right;'><button class=\"inputsubmit\" type=\"submit\" style='display:none;' name=\"Update\"  id=\"Update\" value=\"Update\"><span>Update<\/span><\/button>\n<\/div><\/td><\/tr><\/table><\/center>\n<br><center><table class='tablestyle2' cellpadding='2' cellspacing='0'>\n<tr><td class='label'>User Login:<\/td><td><input  type=\"text\" name=\"user_id\" size=\"22\" maxlength=\"20\" value=\"Newadmin\"><\/td>\n<\/tr>\n<tr><td class='label'>Password:<\/td><td ><input type='password' name='password' size=20 maxlength=20 value='' ><\/td>\n<\/tr>\n<tr><td class='label'>Full Name:<\/td><td><input  type=\"text\" name=\"real_name\" size=\"50\" maxlength=\"50\" value=\"New Admin\" ><\/td>\n<\/tr>\n<tr><td class='label'>Telephone No.:<\/td><td><input  type=\"text\" name=\"phone\" size=\"30\" maxlength=\"30\" value=\"\" ><\/td>\n<\/tr>\n<tr><td class='label'>Email Address:<\/td><td><input  type=\"text\" name=\"email\" size=\"50\" maxlength=\"50\" value=\"\" ><\/td>\n<\/tr>\n<tr><td class='label'>Access Level:<\/td><td><span id='_role_id_sel'><select id='role_id' autocomplete='off'  name='role_id' class='combo' title='' ><option selected  value='8'>AP Officer<\/option>\n<option   value='7'>AR Officer<\/option>\n<option   value='1'>Inquiries<\/option>\n<option   value='9'>Accountant<\/option>\n<option   value='5'>Production Manager<\/option>\n<option   value='6'>Purchase Officer<\/option>\n<option   value='3'>Salesman<\/option>\n<option   value='4'>Stock Manager<\/option>\n<option   value='10'>Sub Admin<\/option>\n<option   value='2'>System Administrator<\/option>\n<\/select>\n<\/span>\n<\/td>\n<\/tr>\n<tr><td class='label'>Language:<\/td><td><span id='_language_sel'><select autocomplete='off'  name='language' class='combo' title=''><option selected value='C'>English<\/option>\n<\/select>\n<\/span>\n<\/td>\n<\/tr>\n<tr><td class='label'>User's POS:<\/td>\n<td><span id='_pos_sel'><select id='pos' autocomplete='off'  name='pos' class='combo' title='' ><option selected  value='1'>Default<\/option>\n<\/select>\n<\/span>\n<\/td><\/tr>\n<tr><td class='label'>Printing profile:<\/td>\n<td><span id='_print_profile_sel'><select autocomplete='off'  name='print_profile' class='combo' title=''><option selected value=''>Browser printing support<\/option>\n<option  value='Central'>Central<\/option>\n<option  value='Out of office'>Out of office<\/option>\n<option  value='Sales Department'>Sales Department<\/option>\n<\/select>\n<\/span>\n<input  type='submit' class='combo_select' style='border:0;background:url(..\/themes\/default\/images\/button_ok.png) no-repeat;display:none;' aspect='fallback' name='_print_profile_update' value=' ' title='Select'> \n<\/td><\/tr>\n<tr><td class='label'>Use popup window for reports:<\/td><td ><input checked type='checkbox' name='rep_popup' value='1' title='Set this option to on if your browser directly supports pdf files' >\n<\/td><\/tr>\n<\/table><\/center>\n<br><center><button class=\"ajaxsubmit\" type=\"submit\" aspect='default'  name=\"ADD_ITEM\"  id=\"ADD_ITEM\" value=\"Add new\"><img src='..\/themes\/default\/images\/ok.gif' height='12' alt=''><span>Add new<\/span><\/button>\n<\/center><input type=\"hidden\" name=\"_focus\" value=\"user_id\"><input type=\"hidden\" name=\"_modified\" value=\"0\"><input type=\"hidden\" name=\"_confirmed\" value=\"\"><input type=\"hidden\" name=\"_token\" value=\"xug4LnCbMhztG65aZRdVUgxx\"><\/form>\n<center><center><table width='20%' cellpadding='2' cellspacing='0'>\n<tr>\n<td align=center><a href='javascript:goBack();'>Back<\/a><\/td>\n<\/tr>\n<\/table><\/center>\n<\/center><br>"
    }
   ,{
    "n":"fc"
   ,"why":true
   ,"data":"user_id"
   }
   ,{
     "n":"js"
    ,"why":"editors"
    ,"data":"editors = [  ];"
    }
    ]
   ,"text":"<div class='err_msg'>Request from outside of this page is forbidden.<\/div>"
}

Hence it is seen that it is not affected.
The hidden field _token is present in the form and is checked by the server side and hence protects it from malicious submitted data.
This was tested in the FA 2.4.3+ Current Git Master using PHP 5.3.1 on XAMPP 1.7.3. If this issue persists in other installs, indicate versions of PHP / MySQL / WebServer used.

Post's attachments

csrf_test.zip 556 b, 1 downloads since 2018-02-21 

You don't have the permssions to download the attachments of this post.

Re: Security Vulnerability Reported v2.4.3 CSRF

Looks like this is an old CSRF vulnerability for FA v2.3.4 as of 2011-03-05 wrongly posted here as for v2.4.3.
https://0day.today/exploit/16029

Post's attachments

CSRF_FA_2.3.4.png 38.7 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Re: Security Vulnerability Reported v2.4.3 CSRF

Thanks Apmuthu. Well noted.