Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue in ABC ERP version 0.6.4. It allows attackers to modify administrator credentials and profile information without authentication by submitting forged requests to the endpoint _configurar_perfil.php.

Attackers can craft malicious forms or links containing parameters such as username, password, name, and email to change admin account settings. The vulnerability exists because the application does not verify the legitimacy of the request origin, lacking proper CSRF protections.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to change administrator credentials and profile details without authorization. This means an attacker could potentially take over the admin account, leading to unauthorized access and control over the system.

Such unauthorized changes can compromise the security and integrity of the ERP system, potentially leading to further exploitation, data manipulation, or disruption of business operations.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP POST requests to the endpoint /admin/run/_configurar_perfil.php that include parameters such as usuario, contrasena1, contrasena2, nombre, and email without proper CSRF tokens or authentication.'}, {'type': 'paragraph', 'content': 'One way to detect potential exploitation attempts is to capture and analyze web traffic for suspicious POST requests targeting the admin profile update functionality.'}, {'type': 'paragraph', 'content': 'For example, using command-line tools like curl or wget, you can simulate or detect such requests.'}, {'type': 'list_item', 'content': 'Use a network traffic analyzer (e.g., tcpdump or Wireshark) to filter HTTP POST requests to /admin/run/_configurar_perfil.php.'}, {'type': 'list_item', 'content': "Example tcpdump command: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '_configurar_perfil.php'"}, {'type': 'list_item', 'content': 'Use curl to test the vulnerability by sending a crafted POST request with parameters similar to the exploit proof-of-concept.'}, {'type': 'list_item', 'content': "Example curl command to test: curl -X POST http://target/admin/run/_configurar_perfil.php -d 'usuario=attacker&contrasena1=pass&contrasena2=pass&nombre=attacker&[email protected]&old_usuario=admin'"}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing proper CSRF protections on the vulnerable endpoint to ensure that requests modifying administrator credentials require a valid CSRF token.

Additionally, restrict access to the /admin/run/_configurar_perfil.php endpoint to authenticated and authorized users only.

If possible, apply patches or updates from the vendor that address this vulnerability.

As a temporary measure, monitor and block suspicious POST requests targeting this endpoint.

Educate administrators to avoid clicking on untrusted links or submitting forms that could trigger unauthorized profile changes.

Useful 0 Not Useful 0