16
Kloxo-MR Releases / [INFO] Kloxo-MR 6.5.0 - CSRF Vulnerability - really?
« on: 2014-04-17, 06:50:19 »
Many information about 'Kloxo-MR 6.5.0 - CSRF Vulnerability'. One of report is http://www.exploit-db.com/exploits/32666/.
The question is real or 'false positive'?.
In my test (using Kloxo-MR 6.5.1.b-2014041104):
1. Open firefox and then login with admin as user
2. Open new tab and then execute their code --> success
3. Open Chrome and then execute their code --> fail and page redirect to login page
Conclusion:
1. Their code not work without login (or remote execute will be fail and automatically redirect to login page)
2. With login mean page for their code will have the same session.
2. Not testing for 6.5.0.f but I think the same situation
Action:
1. Above fact still importance for security issue
2. Since 6.5.0.f and 6.5.1.b 2014041602, add 'csrf token' validation.
3. Effect of #2, every process via 'post' (like add domain) always verified with 'csrf token' with/without login
The question is real or 'false positive'?.
In my test (using Kloxo-MR 6.5.1.b-2014041104):
1. Open firefox and then login with admin as user
2. Open new tab and then execute their code --> success
3. Open Chrome and then execute their code --> fail and page redirect to login page
Conclusion:
1. Their code not work without login (or remote execute will be fail and automatically redirect to login page)
2. With login mean page for their code will have the same session.
2. Not testing for 6.5.0.f but I think the same situation
Action:
1. Above fact still importance for security issue
2. Since 6.5.0.f and 6.5.1.b 2014041602, add 'csrf token' validation.
3. Effect of #2, every process via 'post' (like add domain) always verified with 'csrf token' with/without login