| Anonymous | Login | Signup for a new account | 2010-09-05 06:12 EEST |
| Main | My View | View Issues | Change Log | Roadmap | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ >> ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | |||||||
| 0000021 | [Starfish PBX] Web Admin Interface | crash | always | 2009-09-03 07:09 | 2009-09-03 14:06 | |||||||
| Reporter | rgavril | View Status | public | |||||||||
| Assigned To | rgavril | |||||||||||
| Priority | immediate | Resolution | open | |||||||||
| Status | assigned | |||||||||||
| Summary | 0000021: Multiple Security Flaws | |||||||||||
| Description |
As Russ McRee pointed up in a email: Advisory number is HIO-2009-0910 and URL will be http://holisticinfosec.org/content/view/126/45/ [^] when it is the appropriate time to go live. All test conducted on local test installation Starfish PBX contains multiple flaws that allow cross-site scripting, cross-site request forgery, and directory traversal. 1) XSS: Input passed to the "search" parameter via GET is not properly verified before being submitted to Extensions_List.php. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) CSRF: The application allows users to perform all admin actions via HTTP requests without performing any validation checks to verify the requests. This can be exploited to e.g. perform administrative functions when a logged in user views a malicious web page. 3) SQLi: Startfish PBX contains a flaw that allows a remote SQL injection. Input passed to the "search" parameter via GET is not properly verified before being submitted to Extensions_List.php. SQLi: http://192.168.248.102/starfish-pbx/admin/Extensions_List.php?Search=%271%3D1-- [^] XSS: http://192.168.248.102/starfish-pbx/admin/Extensions_List.php?Search=%22%3E%3CSCRIPT%3Ealert%28document.cookie%29%3C%2FSCRIPT%3E [^] CSRF: GET example (POST admin functions vulnerable too) <html> <head> <title>CSRF Test: Is your app vulnerable?</title> </head> <body onload=location.reload(true) bgcolor=#000000><font color=blue><h2>Please wait while your webapp is tested for CSRF...if you've been logged out, it's vulnerable.</h2></font> <img src=http://holisticinfosec.org/images/dontpanic.jpg> [^] <img alt=' ' src=http://192.168.248.102/starfish-pbx/admin/Logout.php> [^] </body></html> |
|||||||||||
| Additional Information | ||||||||||||
| Tags | No tags attached. | |||||||||||
| Attached Files | ||||||||||||
|
|
||||||||||||
 Relationships |
|
|
Notes |
|
|
(0000027) rgavril (administrator) 2009-09-03 14:06 |
SQLi and XSS fixed in svn revision 47 |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2009-09-03 07:09 | rgavril | New Issue | |
| 2009-09-03 07:10 | rgavril | Status | new => assigned |
| 2009-09-03 07:10 | rgavril | Assigned To | => rgavril |
| 2009-09-03 14:06 | rgavril | Note Added: 0000027 | |
| Mantis 1.1.8[^] Copyright © 2000 - 2009 Mantis Group |  |
