: Fixed<\/span><\/p>\n<\/h3>\nDescription<\/h3>\n
In a CSRF attack the attacker can take actions of the web application in behalf of the victim.
Therefore the user has to click on a malicious link of the attacker while being logged in to the web application.<\/p>\n
Due to the CSRF vulnerability, the attacker can enable or disable modules.<\/p>\n
<\/span><\/p>\nProof of Concept (PoC)<\/h3>\n
Attacks need to target an authenticated user with sufficient privileges. The CSRF attack simply needs to send the victim to the following URLs:<\/p>\n
GET request to \/icingaweb2\/config\/moduledisable?name=monitoring
disables the monitoring module.<\/p>\n
GET request to \/icingaweb2\/config\/moduleenable?name=setup
enables the setup module.<\/p>\n
<\/p>\n
\n
\n
Fix<\/h3>\n
Convert requests to HTTP POST and make sure that requests which change the state of the application have a valid CSRF token.<\/span><\/p>\n<\/h3>\nTimeline<\/h3>\n\n- 2018-09-12 First contact request via security@icinga.com<\/li>\n
- 2018-10-02 Vendor received advisories via security@icinga.com<\/li>\n
- 2018-10-11 CVE-ID requested<\/li>\n
- 2018-10-12 received CVE ID and notified vendor about it<\/li>\n
- 2018-11-09 extended public disclosure deadline to 2018-11-25<\/li>\n
- 2018-11-23 vendor states to have fixed the vulnerability in Icinga Web 2 v2.6.2<\/li>\n
- 2018-12-07 Security advisory released<\/li>\n<\/ul>\n
<\/h3>\nCredits<\/h3>\n
The security vulnerability was found by Maximilian Boehner of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n
The X-OWA-UrlPostData<\/em> header could be decoded to the following:<\/p>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
usd-2018-0027 | Icinga Web 2\/2.6.1 Advisory ID: usd-2018-0027CVE number: CVE-2018-18246Affected Product: Icinga Web 2Affected Version: 2.6.1Vulnerability Type: Cross-site request forgerySecurity Risk: MediumVendor URL: https:\/\/www.icinga.com\/Vendor Status: Fixed Description In a CSRF attack the attacker can take actions of the web application in behalf of the victim.Therefore the user has to click on a malicious link of […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16575","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16575","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16575"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16575\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16575"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}