# +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ # | ___ _ _____ _ _ | # | / _ \| | |_ _| | | (_) | # | / /_\ \ |__ ___ __ _ _ __ | | __ _| |__ _ _ __ | # | | _ | '_ \/ __|/ _` | '_ \ | |/ _` | '_ \| | '__| | # | | | | | | | \__ \ (_| | | | | | | (_| | | | | | | | # | \_| |_/_| |_|___/\__,_|_| |_| \_/\__,_|_| |_|_|_| | # | // Breaking Security Since Born! | # | | # | [-] Website: https://ahsantahir.py | # | [-] Email: support@ahsantahir.py | # | | # +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ ### # Title : VendHQ Add-admin CSRF Vulnerability [Full-Store Takeover] # Author : Ahsan Tahir # E-mail : mrahsan1337@gmail.com / support@ahsantahir.py # Web Site : www.ahsantahir.py # Facebook: http://fb.me/ahsantahiratofficial # Twitter : @AhsanTahirAT # Tested on : Kali Linux 2.0, Windows 8.1 # Vendor : https://www.vendhq.com ### Release Date: ============= 2016-10-14 Product & Service Introduction: =============================== Vend is retail POS software, inventory management, ecommerce & customer loyalty for iPad, Mac and PC. Easily manage & grow your business in the cloud. Abstract Advisory Information: ============================== Ahsan Tahir, an independent vulnerability researcher discovered an add-admin CSRF vulnerability, which could lead to full store-takeover of any VendHQ store! Vulnerability Disclosure Timeline: ================================== 2016-07-20: Found the vulnerability. 2016-07-20: Reported to vendor. 2016-07-22: Vendor Replied. 2016-07-22: Vendor Fixed the vulnerability. 2016-07-31: Vendor rewarded the researcher. 2016-10-14: Public Disclosure Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A Cross-Site Request Forgery vulnerability has been discovered in VendHQ stores. This allows remote attackers to craft a HTML Form, which requests a new admin on vendhq stores, when run by a victim, while he/she is logged in, and if the victim visits a page, his/her store will be HACKED/Pwn3d! Proof of Concept (PoC): ======================= This vulnerability can be exploited by an attacker if he/she injects this code in his webpage, which they want their victim to visit!
While a victim is logged in to his/her vend store and visits a webpage with the above code injected, a new admin will be created in their store, with the name as "Hacked" and the Password is "TestPassword1" and email: ahsan@ahsan.com Credits & Authors: ================== Ahsan Tahir - [https://twitter.com/AhsanTahirAT]