CVE-2022-23904: Account Privilege upgrade on Auctionworx software (CVE-2022-23904) – Ebere

Description: Cross-Site Request Forgery
Affected Versions: AuctionWorx Enterprise and Events Edition <3.1R2
CVE ID: CVE-2022-23904
CVSS Score: 9.0 (High)**
Fully Patched Version:** v3.1 R2 (Update Rollup)
Researcher/s: Ebere Orisi

Summary:

The auctionworx software created by Rainworx Softwares is vulnerable to a Cross-Site Request Forgery attack that allows an authenticated user to upgrade his account to admin and gain access to the auctionworx admin control panel. This vulnerability affects AuctionWorx Enterprise and AuctionWorx: Events Edition.

Steps to Replicate:

• Create an account and login to any of the Rainworx sites listed on https://www.rainworx.com/Clients.

• Go to the My Account page, then Details to update account information. Update account details while intercepting the POST request with a proxy such as OWASP ZAP.

• Add the following field to the request body, before the ‘Save’ field:

  • &Role_Admin=true&Role_Admin=false

• After this, logout and login again, then you’ll be granted access to the AuctionWorx admin control panel, where you’ll have access to all User Information, Reports, Billings, Site settings, Product Listings, etc.

Remediation:

• Use CSRF Tokens

• Add a hash (session-id, function name, server-side secret) to all forms.

• Blacklist Certain form fields in POST requests

• Allow a certain number of admin accounts on the web application

• Only allow admin access to particular domains

References:

• https://owasp.org/www-community/attacks/csrf

• https://www.rainworx.com/AuctionWorx/ReleaseNotes