Centreon 2.6.1 CSRF Add Admin Exploit
Title: Centreon 2.6.1 CSRF Add Admin Exploit
Advisory ID: ZSL-2015-5263
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 26.09.2015
Apache/2.2.15
PHP/5.3.3
[12.08.2015] Vendor contacted.
[13.08.2015] Vendor replies asking more details.
[13.08.2015] Sent details to the vendor.
[14.08.2015] Vendor sends details to developing team.
[19.08.2015] Asked vendor for status update.
[19.08.2015] Vendor states that some issues were fixed in 2.6.2 and rest will be fixed in 2.6.3 or 2.7.
[25.08.2015] Asked vendor for status update.
[25.08.2015] Vendor will get back to us by 15th of September because of holidays.
[16.09.2015] No reply from the vendor.
[17.09.2015] Informed vendor about public release.
[17.09.2015] Vendor has released version 2.6.2 fixing the file upload issue. Remaining issues promised to be fixed in next release.
[24.09.2015] Vendor releases version 2.6.3 to fix remaining issues?
[26.09.2015] Public security advisory released.
[2] https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.6.3.html
[3] https://www.exploit-db.com/exploits/38339/
[4] https://packetstormsecurity.com/files/133751
[5] https://cxsecurity.com/issue/WLB-2015090169
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/106863
[7] https://secunia.com/advisories/66651/
[8] https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.6.5.html
[07.10.2015] - Added reference [3], [4], [5] and [6]
[10.11.2015] - Added reference [7]
[21.11.2015] - Added reference [8]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2015-5263
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 26.09.2015
Summary
Centreon is the choice of some of the world's largest companies and mission-critical organizations for real-time IT performance monitoring and diagnostics management.Description
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.Vendor
Centreon - https://www.centreon.comAffected Version
2.6.1 (CES 3.2)Tested On
CentOS 6.6 (Final)Apache/2.2.15
PHP/5.3.3
Vendor Status
[10.08.2015] Vulnerability discovered.[12.08.2015] Vendor contacted.
[13.08.2015] Vendor replies asking more details.
[13.08.2015] Sent details to the vendor.
[14.08.2015] Vendor sends details to developing team.
[19.08.2015] Asked vendor for status update.
[19.08.2015] Vendor states that some issues were fixed in 2.6.2 and rest will be fixed in 2.6.3 or 2.7.
[25.08.2015] Asked vendor for status update.
[25.08.2015] Vendor will get back to us by 15th of September because of holidays.
[16.09.2015] No reply from the vendor.
[17.09.2015] Informed vendor about public release.
[17.09.2015] Vendor has released version 2.6.2 fixing the file upload issue. Remaining issues promised to be fixed in next release.
[24.09.2015] Vendor releases version 2.6.3 to fix remaining issues?
[26.09.2015] Public security advisory released.
PoC
centreon_csrf.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.6.2.html[2] https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.6.3.html
[3] https://www.exploit-db.com/exploits/38339/
[4] https://packetstormsecurity.com/files/133751
[5] https://cxsecurity.com/issue/WLB-2015090169
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/106863
[7] https://secunia.com/advisories/66651/
[8] https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.6.5.html
Changelog
[26.09.2015] - Initial release[07.10.2015] - Added reference [3], [4], [5] and [6]
[10.11.2015] - Added reference [7]
[21.11.2015] - Added reference [8]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk