Cross Site Request Forgery - [OWASP 2010 A 5] vulnerability found on ZCC page

  • 7012766
  • 02-Jul-2013
  • 16-Jan-2014

Environment

Novell ZENworks Configuration Management 11.2.3

Situation

Cross-site Request Forgery vulnerabilities allow unauthorized requests from a victim’s machine to improperly initiate transactions using an existing authenticated session.

Resolution

This is fixed in version 11.2.4 - see KB 7012027 "ZENworks Configuration Management 11.2.4 - update information and list of fixes" which can be found at https://support.microfocus.com/kb/doc.php?id=7012027

How it is fixed: Implemented the CSRF token like created a hidden field in the Form. the value of the form hidden element will be the session id which is generated from the secure random id. The token will be set in the Session which will be validate with the Form hidden element..when both are matched , the action would be executed..otherwise navigating to error page. the token generation would be unique for the each request.

Cause

As the Cross-site Request Forgery vulnerability says that it allows unauthorized requests from a victim’s machine to improperly initiate transactions using an existing authenticated session. this was not handled by the ZCM.

Status

Security Alert

Additional Information

Assigned CVE-2013-6346

This allows an attacker to perform all the legitimate actions which a legitimate user can perform after a log-in. All Web applications which use only HTTP cookies to store session information are vulnerable to CSRF. Such applications expose their users to a typical CSRF attack every time they log in to the application. For example, a banking application which is vulnerable to CSRF may allow an attacker to transfer funds from a victim’s account to his own account. If the victim is using an e-mail application vulnerable to CSRF, the attacker can send malicious e-mails using the victim’s account without her knowledge.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.