Source: PSIRT-CNA@flexerasoftware.com
Cross-site request forgery (CSRF) vulnerability in The Address Book 1.04e allows remote attackers to perform unauthorized actions as other users via unspecified vectors, as demonstrated by deleting arbitrary users via the id parameter in a deleteuser action in users.php.
The Address Book 1.04e is vulnerable to a Cross-Site Request Forgery (CSRF) attack, allowing attackers to perform actions as other users, such as deleting user accounts. This vulnerability stems from a lack of proper validation of user requests, enabling malicious actors to manipulate the application's functionality through crafted requests.
Step 1: Victim Logged In: The victim is logged into The Address Book 1.04e.
Step 2: Attacker Crafts Payload: The attacker crafts a malicious URL or HTML form containing the deleteuser action and the target user's ID (e.g., users.php?action=deleteuser&id=target_user_id).
Step 3: Payload Delivery: The attacker delivers the malicious payload to the victim, typically via phishing, social engineering, or a compromised website.
Step 4: Victim Interaction: The victim interacts with the malicious payload. This could be as simple as clicking a link or having a malicious image tag loaded on a compromised website.
Step 5: Unauthorized Action: The victim's browser sends the crafted request to The Address Book server. Because there's no CSRF protection, the server processes the request, deleting the target user account.
The root cause of CVE-2006-4582 lies in the absence of CSRF protection mechanisms within The Address Book 1.04e. Specifically, the users.php script, which handles user management functions, fails to validate the origin of requests. This means the application does not verify if a request to delete a user (deleteuser action) originates from a legitimate source (e.g., the user's browser after logging in) or a malicious one (e.g., a crafted link or a compromised website). The vulnerability is triggered by the id parameter, which specifies the user to be deleted. The application trusts this parameter without verifying the request's origin, allowing an attacker to craft a malicious URL or HTML form that, when visited by a logged-in user, will delete the specified user account. The lack of any form of authentication token or origin validation is the core flaw.
Due to the age of the vulnerability and the specific software, it is unlikely to be directly linked to specific APT groups. However, any attacker with basic skills could exploit it. This vulnerability is not listed on the CISA KEV catalog.
Web server logs: Look for unusual activity related to users.php with the deleteuser action and the id parameter.
Network traffic analysis: Examine HTTP requests for the deleteuser action with suspicious origins (e.g., requests originating from unexpected domains).
Intrusion Detection Systems (IDS): Configure IDS rules to detect requests containing the deleteuser action and the id parameter.
File Integrity Monitoring (FIM): Monitor the users.php file for unauthorized modifications.
Implement CSRF protection: Add a unique, unpredictable CSRF token to all forms and requests that modify data. The server should validate the token's presence and correctness for each request.
Input validation: Sanitize and validate all user inputs, especially the id parameter, to prevent unexpected behavior.
Origin validation: Implement checks to ensure that requests originate from the expected domain or origin.
Upgrade or replace: If possible, upgrade to a newer version of The Address Book or replace it with a more secure alternative.
Regular security audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities.