Follow

ZSL-2018-5475 - CSRF Add Superuser Exploit


Welcome to Ecessa Support, we have a variety of technical information and tools for a variety of solutions. If you aren't finding a solution, or would like to talk to a technical support team member, please call 800-669-6242.
Please note that as of Jan 3rd, 2025, support tickets will be handled by OneNet Global Support team. Please see OneNet Global Support Portal - End User Instructions for guided information on how to use the OneNet Global ticketing system.

See Ecessa's full line of products and solutions

Advisory source: 

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5475.php

Description of vulnerability:

The web interface allows users to perform certain actions via HTTP requests without performing validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Vulnerability mitigation:

This vulnerability was addressed in software release 10.7.5  In versions prior to 10.7.5 following these best practices mitigates the risk of CSRF vulnerabilities in all browser based applications:

  • Logoff immediately after using a Web application
  • Do not allow your browser to save username/passwords, and do not allow sites to “remember” your login
  • Do not use the same browser to access sensitive applications and to surf the Internet freely (tabbed browsing).
  • The use of plugins such as No-Script makes POST based CSRF vulnerabilities difficult to exploit. This is because JavaScript is used to automatically submit the form when the exploit is loaded. Without JavaScript the attacker would have to trick the user into submitting the form manually.

Source: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Personal_Safety_CSRF_Tips_for_Users

 

Was this article helpful?
0 out of 0 found this helpful

0 Comments

Article is closed for comments.