CVE-2022-23475: Account take over flaw in open source RADIUS web management app

CVE-2022-23475

Maintainers of the daloRADIUS project have moved to address a high-security vulnerability in its application that, if successfully exploited, could result in an account takeover.

Tracked as CVE-2022-23475, the issue has a CVSS severity score of 8.0. The security flaw affects all versions of daloRADIUS prior < 1.3.

daloRADIUS is an advanced RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, and a billing engine and integrates with GoogleMaps for geo-locating. daloRadius is used by a number of organizations for managing Hotspots and general-purpose ISP deployments.

CVE-2022-23475

CVE-2022-23475 was caused by improper validation of user-supplied input by the mng-del.php script. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute a script in a victim’s Web browser within the security context of the hosting Web site. Once the URL is clicked, an attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

daloRadius 1.3 was vulnerable to XXS+CSRF to account takeover in the mng-del.php file because of an unescaped variable reflected in the DOM on line 116,according to the security advisory.

How Steps to Reproduce

  1. The vulnerability lies in the /mng-del.php file
  2. we can send a request like the following http://<domain>/mng-del.php?username[]=a&username[]=%3C%2Ftd%3E%3Cimg+src+onerror%3D%22alert(document.domain)%22%3E to pop a simple alert box.
  3. You can use the following payload to create a new operator account
  4. There are multiple forms that are vulnerable to CSRF

Users are advised to upgrade to the latest daloRADIUS version (v1.3) version as soon as possible in order to mitigate this issue. Users may also mitigate this issue with the following method:

  1. The CSRF vulnerability can be mitigated by making the daloRadius session cookie to samesite=Lax or by the implementation of a CSRF token in all forms
  2. We can prevent the XSS by escaping it or by introducing a Content-Security policy