Objective
Our target is qdPM, a free project management tool. The tool with the 9.2 version is vulnerable to Cross-site Request Forgery and we are going to inspect the application to leverage the vulnerability. First, we will try to exploit ourselves then we will check the defined CVE and exploit.
What is CSRF?
Based on Web Security Academy:
Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It will enable an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.
The most robust way to defend against CSRF attacks is to include a CSRF token within relevant requests. The token should be:
- Unpredictable with high entropy, as for session tokens in general;
- Tied to the user’s session;
- Must be strictly validated in every case before the relevant action is executed.
Inspecting application & traffic
Application has update profile functionality which updates user details including password. One of the issues is that the application does not verify the current password. Therefore, a user even who does not know the current password of the user can update the password of the user.
Secondly, when we are updating our details, we can see that no CSRF token was put in place. Let’s intercept traffic with Burp Suite. The application updates data via the “index.php/myAccount/update” URI.
Generating exploit
Now, we are sure that there is no implementation of the CSRF token and we can generate a malicious HTML page for delivering victims via our attacking server.
Source code:
…[snip]…
Exploit:
- Tampered data and malicious HTML page for hosting on attacking server.
- Assign a new password in hidden input for the password.
Time to run an ad hoc HTTP static server in our directory where “exploit.html” locates.
Deliver exploit to the victim and automatically force them to change the password assigned by you. Finally, the profile was updated and the password of the user has been changed successfully 😊.
Log in to the system with updated credentials.
CVE-2022-26180
qdPM 9.2 allows Cross-Site Request Forgery (CSRF) via the index.php/myAccount/update URI. Exploit is available on the exploit-DB.
