I came across and tried to find bug on this CMS. I see that user edit page is vulnerable to CSRF attack because there is no CSRF token to validate user's request. it means that if an admin user visits crafted url made by attacker (via XSS or Phishing), a POST request will be generated and be submitted to wity/admin/user/edit/1 that will change admin user information included password and email address.
once exploited, attacker can fully take over admin's account.
Let user access CSRF POC in attacker’s site and then POST request will be generated and requested to http://192.168.56.200/wity/admin/user/edit/1
Visiting attacker site:
POST request generated:
After that, user’s information will be changed to value attacker put on CSRF POC
Hello,
I came across and tried to find bug on this CMS. I see that user edit page is vulnerable to CSRF attack because there is no CSRF token to validate user's request. it means that if an admin user visits crafted url made by attacker (via XSS or Phishing), a POST request will be generated and be submitted to wity/admin/user/edit/1 that will change admin user information included password and email address.
once exploited, attacker can fully take over admin's account.
Affect url: http://192.168.56.200/wity/admin/user/edit/1
Steps to reproduce:
Check POST request when user edit information on /wity/admin/user/edit/1

Build CSRF POC based on POST request from user/edit and store it in attacker’s site
Let user access CSRF POC in attacker’s site and then POST request will be generated and requested to http://192.168.56.200/wity/admin/user/edit/1


Visiting attacker site:
POST request generated:
After that, user’s information will be changed to value attacker put on CSRF POC
Mitigation:
Original password is needed in order to change new password of user
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
The text was updated successfully, but these errors were encountered: