mailing list archives
[CVE-2014-5335] CSRF in Innovaphone PBX
From: rg () nsideattacklogic de
Date: Thu, 21 Aug 2014 14:47:59 GMT
Title: Innovaphone PBX Admin-GUI CSRF
CVSS2 Score: 7.8 (AV:N/AC:M/Au:S/C:P/I:C/A:C/E:F/RL:U/RC:C)
Announced: August 21, 2014
Reporter: Rainer Giedat (NSIDE ATTACK LOGIC GmbH, www.nsideattacklogic.de)
Products: Innovaphone PBX Administration GUI
Affected Versions: all known versions (tested 10.00 sr11)
The innovaphone PBX is a powerful and sophisticated VoIP telephone system for use in professional business
environments. In addition to a wide range of IP telephony functionalities, the innovaphone PBX is also equipped with a
perfectly integrated Unified Communications solution that can be enabled as needed at any time and at any workspace.
The innovaphone PBX uses a web-based user interface. This UI is vulnerable to cross-site request forgery attacks (CSRF).
The UI does not check if a request was sent originating from a page it delivered before or from an untrusted and
potentially malicious source. With a CSRF attack a malicious third party is able to change any configurable items from
remote if an administrator is logged in to the user interface and visits a malicious website or clicks a manipulated
link under the control of the attacker.
The lack of a logout mechanism and the use of the digest authentication scheme increases the probability of successful
exploitation, because the user session will never expire automatically.
The attacker has full control over the innovaphone PBX and is able to manipulate every configuration item and user
account data, as well as passwords. This can lead to the redirection of phone calls, denial of service and toll fraud
by adding new SIP endpoints.
Proof on Concept
Visiting a web page including the following HTML image tag will change the administratorâs password of the
innovaphone PBX to 'hacked':
Visiting a web page including the following image will add a new SIP user:
Innovaphone recommends to use a dedicated browser only for administration tasks regarding the PBX and close all browser
instances when administration is done.
More information can be found on the closed support wiki of innovaphone:
This workaround makes sucessful exploitation harder, but an attacker may still be able to use special protocol-handlers
to open URLs in different browsers.
No fix will be provided, since the vendor considers this to be a browser problem.
2014-22-07 Bug found
2014-28-07 Vendor contact
2014-29-07 Vendor reply
2014-29-07 Technical details provided
2014-13-08 Vendor does not plan to patch for now, but provided a workaround
2014-21-08 Public release
- [CVE-2014-5335] CSRF in Innovaphone PBX rg (Aug 22)