vfront-0.99.2 CSRF & Persistent XSS
VFront is a dynamic front-end for MySQL, PostgreSQL and SQLite DBs.
Status: Beta
Brought to you by:
marciuz
Menu
▾
▴
#24 vfront-0.99.2 CSRF & Persistent XSS
pending
nobody
9
2015-06-02
2015-06-02
No
Original advisory here: http://seclists.org/bugtraq/2015/Jun/11
Can you verify these issues? Do you have plans to fix these? Please mention security fixes in changelog if you do fix these issues.
http://hyp3rlinx.altervista.org/advisories/AS-VFRONT0602.txt
Hi, I've just fixed the issues in the SVN.
Maybe I'm wrong, but everything seems to start from the variabili.php script.
This script is accessible only from the administrator. If this is true, the hack can be done only from the admin (who hack himself... )
Problem here is that attacker can abuse the cross-site scripting vulnerability via cross-site request forgery.
Here is description of CSRF:
When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.
For more information please read:
http://cwe.mitre.org/data/definitions/352.html
https://scapsync.com/cwe/CWE-352
https://en.wikipedia.org/wiki/Cross-site_request_forgery
So basicly attacker adds malicious content to some webpage, gets the admin user to visit that content using some method, XSS payload is then added automatically to affected part of the application.
If you have any questions feel free to ask in here or contact me via email henri@nerv.fi
I can test your fixes later this week.