|------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security@corelan.be | | | |-------------------------------------------------[ EIP Hunters ]--| # Software : Actitime 2.0-MA # Author : Markot # Date : July 16, 2010 # Reference : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-058 # OS : Windows # Tested on : XP SP3 En (Virtual box) # Type of vuln : CSRF # Greetz to : Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. 0x00 : Vulnerability information Product : ActiTime Version : 2.0 MA Vendor : http://www.actimind.com URL : http://www.actitime.com 0x01 : Vendor description of software From the vendor website: "Monitor personal time expenses in everyday work, do in-depth analysis of your staff's time-track, provide your customers with information on the completed work, specify time estimates for the tasks and then compare reported working time with estimates and more" 0x02 : Vulnerability details CSRF The discovered vulnerability allows an attacker to send a type of malicious exploit crafted specifically for "ActiTime 2.0 MA" whereby the Administrator could be tricked into executing unauthorized commands or actions. 0x03 : Proof of Concept 0x04 : Author/Vendor communication July 4 2010 : Vendor contacted July 11 2010: reminder sent, no feedback received July 16 2010: public disclosure