Follow

ZSL-2018-5475 - CSRF Add Superuser Exploit


Welcome to Ecessa Support, we have a variety of technical information and tools for a variety of solutions. If you aren't finding a solution, or would like to talk to a technical support team member, please call 800-669-6242.

See Ecessa's full line of products and solutions

Advisory source: 

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5475.php

Description of vulnerability:

The web interface allows users to perform certain actions via HTTP requests without performing validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Vulnerability mitigation:

Ecessa plans to fix this vulnerability in software release 10.7.5 which is currently under development.  This advisory will be updated when 10.7.5 is released.  In the meantime, following these best practices mitigates the risk of CSRF vulnerabilities in all browser based applications:

  • Logoff immediately after using a Web application
  • Do not allow your browser to save username/passwords, and do not allow sites to “remember” your login
  • Do not use the same browser to access sensitive applications and to surf the Internet freely (tabbed browsing).
  • The use of plugins such as No-Script makes POST based CSRF vulnerabilities difficult to exploit. This is because JavaScript is used to automatically submit the form when the exploit is loaded. Without JavaScript the attacker would have to trick the user into submitting the form manually.

Source: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Personal_Safety_CSRF_Tips_for_Users

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.