------------------------------------------------------------------------ EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection ------------------------------------------------------------------------ Han Sahin, November 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that EMC M&R (Watch4net) does not protect against Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack can compromise end user data and may allow an attacker to perform an account hijack. If the targeted end user is the administrator account, this results in a full compromise of Watch4net. ------------------------------------------------------------------------ Affected versions ------------------------------------------------------------------------ Versions of EMC ViPR SRM prior to version 3.7 are affected by these vulnerabilities. ------------------------------------------------------------------------ See also ------------------------------------------------------------------------ - http://seclists.org/bugtraq/2016/Apr/att-106/ESA-2016-039.txt - CVE-2016-0891 ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ EMC released 34247_ViPR-SRM to fix these vulnerabilities. Please note that this fix is only available for registered EMC Online Support customers. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20141109/emc_m_r__watch4net__lacks_cross_site_request_forgery_protection.html The following proof of concept will create a new user named CSRF with password set to 1 in Watch4net - provided that the victim is logged in with an administrator account.