Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF Bypass v1.3.6 #389

Closed
zxc7528064 opened this issue May 30, 2020 · 18 comments
Closed

CSRF Bypass v1.3.6 #389

zxc7528064 opened this issue May 30, 2020 · 18 comments
Assignees
Milestone

Comments

@zxc7528064
Copy link

zxc7528064 commented May 30, 2020

No description provided.

@zxc7528064
Copy link
Author

zxc7528064 commented Jun 1, 2020

Affected software: BlackCat CMS

Type of vulnerability: CSRF (Cross-Site Request Forgery)

Discovered by: Noth

Author: Noth

Version : v.1.3.6

Description: BlackCat CMS is vulnerable to persistent Cross-Site Request Forgery attacks, which allow malicious users to inject HTML or scripts and forge user permissions to operate .

Vulnerable URL:
http://127.0.0.1/blackcatcms-release/backend/login/index.php

Step 1 : go to backend/login/index.php

Step 2 : Use burpsuite to intercept packets

Step 3 : Generate PoC ( remove the csrf_token ==> "" )
1
2

Test Video :
https://drive.google.com/file/d/1tfIPHocmoskX-9wc5rw_7kdX3lNmGpzG/view?usp=sharing

Bypass the csrf_token to login

@zxc7528064 zxc7528064 changed the title CSRF Bypass CSRF Bypass v1.3.6 Jun 2, 2020
@creativecat
Copy link
Contributor

creativecat commented Jun 2, 2020 via email

@zxc7528064
Copy link
Author

@creativecat Thank you !

@webbird
Copy link
Contributor

webbird commented Jun 8, 2020

Token use is optional, is it set to on or off?
I do not see a high risk here. The user still needs valid account data for login.

@zxc7528064
Copy link
Author

Token can be bypassed, this is a problem

@webbird
Copy link
Contributor

webbird commented Jun 23, 2020

A token is generated in any case here, that doesn't mean it is used in any case, too. You will need to enable the check first. I will add a check for empty token, but ONLY if CSRFMagic is enabled.

2020-06-23 17_14_21-BlackCat CMS » Administration - SETTINGS

@zxc7528064
Copy link
Author

@webbird Thanks you ,I got it

@webbird
Copy link
Contributor

webbird commented Jun 24, 2020

Anyway, the token is not being checked in any case, so we have to fix this.

@webbird webbird self-assigned this Jun 24, 2020
webbird pushed a commit that referenced this issue Jun 24, 2020
@webbird
Copy link
Contributor

webbird commented Jun 24, 2020

Now we have a problem with valid login... :(

@zxc7528064
Copy link
Author

Do you already fix it ?

@webbird
Copy link
Contributor

webbird commented Jul 2, 2020

This is still work in progress. I am having a full time job. ;)

@zxc7528064
Copy link
Author

xD Ok ! @webbird if the security problem is fixed ,please tell me !

webbird pushed a commit that referenced this issue Jul 3, 2020
@webbird
Copy link
Contributor

webbird commented Jul 3, 2020

Should work now, will have to do some testing...

@webbird
Copy link
Contributor

webbird commented Jul 3, 2020

"Add page" does not work now...

@webbird
Copy link
Contributor

webbird commented Jul 3, 2020

Da ich einige Probleme mit csrf-magic habe und es zudem auch nicht mehr gepflegt wird, teste ich derzeit die Integration eines anderen Moduls. Das wird noch etwas dauern.

Since I have some problems with csrf-magic and it is no longer maintained, I am currently testing the integration of another module. This will take some time.

https://github.com/mebjas/CSRF-Protector-PHP

@zxc7528064
Copy link
Author

Ok ! @webbird Just fix it slowly

Best Regards

@webbird webbird added this to the v1.4 milestone Jul 8, 2020
@webbird
Copy link
Contributor

webbird commented Sep 1, 2020

Issue "fixed" by removing CSRF Token. V1.4 will use same site cookies instead.

@webbird webbird closed this as completed Sep 1, 2020
@zxc7528064
Copy link
Author

@webbird Thanks you .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants