CVE-2021-46080
Exploit Title: Vehicle Service Management System - 'Multiple' Cross-Site Request Forgery (CSRF) Leads to Stored Cross Site Scripting (XSS)
Exploit Author: P.L.Sanu
CVE: CVE-2021-46080
CVSS: 4.8 MEDIUM
References:
- https://www.plsanu.com/vehicle-service-management-system-multiple-cross-site-request-forgery-csrf-leads-to-stored-cross-site-scripting-xss
- https://nvd.nist.gov/vuln/detail/CVE-2021-46080
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46080
Description:
A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0. An successful CSRF attacks leads to Stored Cross Site Scripting Vulnerability.
1. Vehicle Service Management System - 'Mechanic List' (/admin/?page=mechanics)
Exploit:
- Visit the admin panel http://localhost/vehicle_service/admin
- Create two admin accounts.
- Login the Admin-1 account in Browser A (Chrome)
- Login the Admin-2 account in Browser B (Firefox)
- In Admin-1 account(Chrome) navigate to the Mechanic List section and click on Create New button.
- Inject the below payload in Full Name input field.
Payload:
"><script>alert(document.cookie)</script>- Click on Save button.
- Capture the request in burpsuite and generate the CSRF Html File.
- Save the CSRF Html file For Ex: CSRF.html
- In Browser B (Firefox) browse the CSRF.html file.
- Navigate to the Mechanic List section in Browser B (Firefox).
- Malicious javascript code triggered.
2. Vehicle Service Management System - 'Service Requests' (/admin/?page=service_requests)
Exploit:
- Visit the admin panel http://localhost/vehicle_service/admin
- Create two admin accounts.
- Login the Admin-1 account in Browser A (Chrome)
- Login the Admin-2 account in Browser B (Firefox)
- In Admin-1 account(Chrome) navigate to the Service Requests section and click on Create New button.
- Inject the below payload in Owner Contact input field.
Payload:
"><script>alert(document.cookie)</script>- Click on Save Request button.
- Capture the request in burpsuite and generate the CSRF Html File.
- Save the CSRF Html file For Ex: CSRF.html
- In Browser B (Firefox) browse the CSRF.html file.
- Navigate to the Service Requests section in Browser B (Firefox).
- Choose the newly created Service Requests and click on Action under View.
- Malicious javascript code triggered.
3. Vehicle Service Management System - 'Category List' (/admin/?page=maintenance/category)
Exploit:
- Visit the admin panel http://localhost/vehicle_service/admin
- Create two admin accounts.
- Login the Admin-1 account in Browser A (Chrome)
- Login the Admin-2 account in Browser B (Firefox)
- In Admin-1 account(Chrome) navigate to the Category List section and click on Create New button.
- Inject the below payload in Category Name input field.
Payload:
"><script>alert(document.cookie)</script>- Click on Save button.
- Capture the request in burpsuite and generate the CSRF Html File.
- Save the CSRF Html file For Ex: CSRF.html
- In Browser B (Firefox) browse the CSRF.html file.
- Navigate to the Category List section in Browser B (Firefox).
- Malicious javascript code triggered.
4. Vehicle Service Management System - 'Service List' (/admin/?page=maintenance/services)
Exploit:
- Visit the admin panel http://localhost/vehicle_service/admin
- Create two admin accounts.
- Login the Admin-1 account in Browser A (Chrome)
- Login the Admin-2 account in Browser B (Firefox)
- In Admin-1 account(Chrome) navigate to the Service List section and click on Create New button.
- Inject the below payload in Service Name input field.
Payload:
"><script>alert(document.cookie)</script>- Click on Save button.
- Capture the request in burpsuite and generate the CSRF Html File.
- Save the CSRF Html file For Ex: CSRF.html
- In Browser B (Firefox) browse the CSRF.html file.
- Navigate to the Service List section in Browser B (Firefox).
- Malicious javascript code triggered.
5. Vehicle Service Management System - 'User List' (/admin/?page=user/list)
Exploit:
- Visit the admin panel http://localhost/vehicle_service/admin
- Create two admin accounts.
- Login the Admin-1 account in Browser A (Chrome)
- Login the Admin-2 account in Browser B (Firefox)
- In Admin-1 account(Chrome) navigate to the User List section and click on Create New button.
- Inject the below payload in First Name input field.
Payload:
"><script>alert(document.cookie)</script>- Click on Save button.
- Capture the request in burpsuite and generate the CSRF Html File.
- Save the CSRF Html file For Ex: CSRF.html
- In Browser B (Firefox) browse the CSRF.html file.
- Navigate to the User List section in Browser B (Firefox).
- Malicious javascript code triggered.
6. Vehicle Service Management System - 'Settings' (/admin/?page=system_info)
Exploit:
- Visit the admin panel http://localhost/vehicle_service/admin
- Create two admin accounts.
- Login the Admin-1 account in Browser A (Chrome)
- Login the Admin-2 account in Browser B (Firefox)
- In Admin-1 account(Chrome) navigate to the Settings section.
- Inject the below payload in System Name input field.
Payload:
"><script>alert(document.cookie)</script>- Click on Update button.
- Capture the request in burpsuite and generate the CSRF Html File.
- Save the CSRF Html file For Ex: CSRF.html
- In Browser B (Firefox) browse the CSRF.html file.
- Navigate to the Settings section in Browser B (Firefox).
- Malicious javascript code triggered.
Impact:
Cross-Site Request Forgery vulnerability exists in Multiple endpoints it leads to Stored Cross Site Scripting Vulnerability.
Mitigation:
It is recommended to implement the following:
- Unpredictable with high entropy, as for session tokens in general.
- Tied to the user's session.
- Strictly validated in every case before the relevant action is executed.