Executive Summary

Easyndexer 1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to create administrative accounts without authentication.

Attackers can craft malicious web pages that submit forged POST requests to the createuser.php script, specifying parameters such as username, password, name, surname, and setting privileges to 1 to gain administrator access.

This vulnerability exists because the application lacks CSRF protections on the user creation functionality.

Useful 0 Not Useful 0

Impact Analysis

An attacker can exploit this vulnerability to create unauthorized administrator accounts, gaining full administrative privileges on the affected system.

This unauthorized access can lead to privilege escalation, allowing attackers to control the application, modify data, and potentially compromise the entire system.

Additionally, the database file generaldb.db is accessible without authentication, enabling attackers to download sensitive data.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized POST requests to the createuser.php endpoint with parameters that create new users, especially those with privileges set to 1 (administrator).'}, {'type': 'paragraph', 'content': 'You can use network traffic analysis tools like tcpdump or Wireshark to capture and inspect HTTP POST requests targeting /src/createuser.php.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture HTTP POST requests to createuser.php: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /src/createuser.php'"}, {'type': 'list_item', 'content': "Use curl or similar tools to test if the endpoint accepts POST requests without authentication: curl -X POST http://target/src/createuser.php -d 'username=test&password=test&name=Test&surname=User&privileges=1'"}, {'type': 'paragraph', 'content': 'Additionally, check if the database file generaldb.db is accessible via direct GET requests, which indicates exposure of sensitive data.'}, {'type': 'list_item', 'content': 'Example curl command to check database file access: curl http://target/databases/generaldb.db'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing CSRF protections on the createuser.php endpoint to prevent unauthorized POST requests from being accepted.

Restrict access to the createuser.php script so that only authenticated and authorized users can create new accounts.

Remove or restrict public access to the generaldb.db database file to prevent unauthorized downloads.

As a temporary measure, monitor and block suspicious POST requests targeting createuser.php that attempt to create users with administrative privileges.

Useful 0 Not Useful 0