Re: XSRF (CSRF) in Zimplit

[security curmudgeon <jericho () attrition org>]

Hi HTBridge,

: Vulnerability ID: HTB22605
: Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_zimplit.html
: Vendor: Zimplit Ltd. ( http://www.zimplit.com/ ) 
: Vulnerable Version: 3.0 and Probably Prior Versions
: Vendor Notification: 15 September 2010 
: Vulnerability Type: CSRF (Cross-Site Request Forgery)
: Risk level: Low 
: Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 
: 
: Vulnerability Details:
: The vulnerability exists due to failure in the "zimplit.php" script to properly verify the source of HTTP request.
: 
: Successful exploitation of this vulnerability could result in a 
: compromise of the application, theft of cookie-based authentication 
: credentials, disclosure or modification of sensitive data.
: 
: Attacker can use browser to exploit this vulnerability. The PoC example:
: http://host/zimplit.php?action=load&file=../hello.php
: This PoC leads to the execution of the "hello.php" in the parent folder.

One thing you fail to mention, is that the file that can be called via the 
'file' parameter is limited to ones in the web root. Under most 
circumstances, that considerably limits the attack vectors available. I 
wanted to make this clear since your wording implies there is a privileged 
traversal here, when there isn't.

The real threat here, is that the application is vulnerable to CSRF, and 
an admin user can be tricked into performing other, more serious actions. 
Demonstrating a few of those vectors would be more helpful.

- security curmudgeon