Rukovoditel 2.7.2 Clickjacking Vulnerability
Posted: 20 Dec 2020, 00:15
1. Description:
----------------------
Rukovoditel 2.7.2 Clickjacking Vulnerability
2. To Reproduce:
----------------------
- Login with user account into the panel.
- Go to "Projects", click to you "Projects"
- Select "Add Ticket", choose "iFrame" and add malicious URI. Then click save..
- Send that link to the admin, if the admin appears at that address, Script to trigger.
3. Screenshots:
----------------------
3.1. https://i.imgur.com/ql8t7Pi.png
3.2. https://i.imgur.com/Qd323EA.png
3.3. https://i.imgur.com/ESyeGNm.png
3.4. https://i.imgur.com/myZG6Ff.png
------
And now Client view this Tickets
3.5. https://i.imgur.com/YyuHhbf.png
And admin view this Tickets, Script is running.
3.6. https://i.imgur.com/XPGtlrf.png
4. Impact
Attacker may tricked admin, sending them malicious link then admin open it clicked to link and runing Script.
5. Desktop (please complete the following information):
- OS: Windows
- Browser: Google Chrome
- Version: 87.0.4280.88
Let me know if you need more information.
----------------------
Rukovoditel 2.7.2 Clickjacking Vulnerability
2. To Reproduce:
----------------------
- Login with user account into the panel.
- Go to "Projects", click to you "Projects"
- Select "Add Ticket", choose "iFrame" and add malicious URI. Then click save..
- Send that link to the admin, if the admin appears at that address, Script to trigger.
3. Screenshots:
----------------------
3.1. https://i.imgur.com/ql8t7Pi.png
3.2. https://i.imgur.com/Qd323EA.png
3.3. https://i.imgur.com/ESyeGNm.png
3.4. https://i.imgur.com/myZG6Ff.png
------
And now Client view this Tickets
3.5. https://i.imgur.com/YyuHhbf.png
And admin view this Tickets, Script is running.
3.6. https://i.imgur.com/XPGtlrf.png
4. Impact
Attacker may tricked admin, sending them malicious link then admin open it clicked to link and runing Script.
5. Desktop (please complete the following information):
- OS: Windows
- Browser: Google Chrome
- Version: 87.0.4280.88
Let me know if you need more information.