| 제목 | nopCommerce up to 4.2.0 RoxyFilemanController.cs Cross Site Request Forgery |
|---|
| 설명 | It was observed that the application, although implementing a strong Cross-Site Request Forgery protection, allowed for some requests to be sent without a valid synchronizer token. This allows attackers to cause application users or administrators to carry out functionality on their behalf, such as adding a new administrative user or changing a user's details.
The affected component is an unknown fucntionality of the file Presentaition/Nop.Web/Areas/Admin/Controllers/RoxyFilemanController.cs.CWE is classifying the issue as CWE-352. This is going to have an impact on confidentiality, integrity, and availability.
During the test, the only functionality found to not implement the CSRF Protection, was a specific instance of the file upload functionality. Nevertheless, in combination with the "Path Traversal" issue, further described in this report, this vulnerability can be exploited to achieve remote code execution on the hosting server, as detailed under “Remote Command Execution”.
The issue was previously mitigated implementing the same-site cookie protection, which is set to “lax”. However, the implementation of RoxyFileman allows to delete, rename and move directories and files using the HTTP GET request method, making this kind of protection useless, as with same-site attribute set to “lax”, cookies are sent in any case if the HTTP Method is GET. Moreover, against any specification, the RoxyFIleman implementation doesn’t check the HTTP request, meaning that it is possible to upload a file using a non-RFC compliant GET (with a request body).
The weakness was discovered by Alessandro Magnosi on 07/12/2019. This vulnerability has not been assigned a CVE ID yet. The exploitability is told to be easy. It is possible to launch the attack remotely. No authentication is necessary for exploitation. Technical details are known, but there is no available exploit. The structure of the vulnerability defines a possible price range of USD $1k-$2k at the moment (estimation calculated on 04/26/2019).
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product. |
|---|
| 원천 | ⚠️ https://github.com/klezVirus/cves/tree/master/NopCommerce/Cross-Site-Request-Forgery |
|---|
| 사용자 | Anonymous User |
|---|
| 제출 | 2019. 12. 06. PM 05:33 (6 연령 ago) |
|---|
| 모더레이션 | 2019. 12. 10. AM 08:59 (4 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 146826 [Nop Solution Ltd nopCommerce 4.2.0 RoxyFileman RoxyFilemanController.cs GET Request 교차 사이트 요청 위조] |
|---|
| 포인트들 | 20 |
|---|