Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] CSRF vulnerability exposed by modules #177

Open
spolu opened this issue Jul 23, 2014 · 1 comment
Open

[security] CSRF vulnerability exposed by modules #177

spolu opened this issue Jul 23, 2014 · 1 comment
Labels
Bug

Comments

@spolu
Copy link
Owner

spolu commented Jul 23, 2014

As reported by Adam from andyet.net over email:

Installing modules using Cross-Site Request Forgery (CSRF)

It's possible to install and run arbitrary modules using CSRF.

Even though the port that the control channel listens to is random in a
range, it's possible to fire off post requests to get the browser to
install a module of your choice and execute on the users system. I
believe the goal is to sandbox these modules at some point, but for now
the whole api is available.

Here is an example video of me using this with a reverse shell to get it
to work.

https://cloudup.com/cB32XDJdx-U

It's a bit contrived because I'm not brute forcing the port but it's
possible todo that and get it to work. Standard express CSRF measures
could maybe be used, or maybe use file sockets instead of tcp sockets
for communication?
@spolu spolu added the Bug label Jul 23, 2014
@spolu
Copy link
Owner Author

spolu commented Jul 23, 2014

This currently concerns all modules exposing a web service including mod_strip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@spolu