Executive Summary

CVE-2015-20117 is a Cross-Site Request Forgery (CSRF) vulnerability in RealtyScript version 4.0.2. It allows unauthenticated attackers to create unauthorized user accounts, including administrative users with SUPERUSER privileges. Attackers achieve this by crafting malicious forms that submit hidden data to specific endpoints, namely /admin/addusers.php and /admin/editadmins.php, thereby registering new users with arbitrary credentials and escalating their privileges.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to create unauthorized user accounts without any authentication or user interaction. They can escalate these accounts to administrative SUPERUSER level, potentially compromising the integrity of your system. Although the confidentiality and availability impacts are limited, the integrity of your user management and administrative controls can be severely affected.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized or suspicious HTTP POST requests to the endpoints /admin/addusers.php and /admin/editadmins.php. Specifically, look for requests that include form data attempting to create new user accounts or escalate privileges.'}, {'type': 'paragraph', 'content': 'Network traffic analysis tools or web server logs can be used to identify such requests.'}, {'type': 'list_item', 'content': 'Use tools like curl or wget to simulate or detect suspicious POST requests.'}, {'type': 'list_item', 'content': 'Example command to check for suspicious POST requests in web server logs (assuming Apache logs):'}, {'type': 'list_item', 'content': "grep -i 'POST /admin/addusers.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'POST /admin/editadmins.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Use a packet capture tool like tcpdump or Wireshark to filter HTTP POST requests to these endpoints.'}, {'type': 'list_item', 'content': 'Example tcpdump command:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i '/admin/addusers.php\\|/admin/editadmins.php'"}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing CSRF protection mechanisms such as requiring CSRF tokens on sensitive forms, especially those at /admin/addusers.php and /admin/editadmins.php.

Restrict access to these administrative endpoints to trusted IP addresses or authenticated users only.

Apply web application firewall (WAF) rules to detect and block suspicious POST requests targeting these endpoints.

If possible, update or patch RealtyScript to a version that addresses this vulnerability.

Monitor logs and network traffic for signs of exploitation attempts and revoke any unauthorized accounts immediately.

Useful 0 Not Useful 0