New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF attack leads to deletion of shoutbox messages #2347
Comments
|
@FrederickChan @RobiNN1 any updates on this? |
|
Hi @RobiNN1 @FrederickChan , Any updates on this vulnerability. Thanks, |
|
Hi @RobiNN1 @FrederickChan @JoakimFalk , Any updates or details on this issue like when and how you are planning to fix this? I can help in details of how to fix this if you want me to. Awaiting for your response. Thanks, |
|
You can delete your own shout messages by default, by using any kinds of tools, not necessarily a browser. This is non faulty. A simple link can remove his or her own shout messages. |
|
Yeah, so that exactly is a concern. There is no anti-csrf token implemented in this form like you have fusion_token in other forms which lead to such action. So in the video I have demonstrated that as an attacker I can create an HTML and pass it on to a logged in admin user. Thus the admin user upon clicking the submit button, leads to unintended action of deleting a particular message (which the admin actually didn't want to). Hence, this is a valid issue. Kindly refer below link as an example to understand this vulnerability: It is a valid vulnerability, thus request you to re-open it and fix this. |
|
@FrederickChan @RobiNN1 You are a logged in admin user using the PHP-Fusion CMS normally as you do in your day-to-day task. I am a normal user who is also a user of PHP-Fusion CMS of the same company. Now I see a shout message, that you have posted and as a normal user I don't like this shoutbox message and I want to delete it without your knowledge. But as i am a normal user I cannot delete it and this intended action can only be performed by you, as you are the admin So I create a maliciously crafted HTML page as i have mentioned in my description and send it across to you through some communication medium such as mail. You as a logged in user open this HTML page and you click the submit button. Hence, after this action is performed you observe that even though you didn't intend to delete the shoutbox message, you observe that it is deleted. So, this vulnerability of performing an malicious action on behalf is known as CSRF. Hope I am clear now. If you are still confused and want to know how to fix such issues throughout the application, you can refer these links: https://portswigger.net/web-security/csrf Regards, |
|
To fix this vulnerability, what you can do is perform the deletion message action using POST HTTP method with some anti-csrf token such as Fusion_token implemented. Make sure that this token is not reusable, sufficiently long, random, non-guessable. More info on best practice to mitigate this vulnerability can be found here: Regards, |
|
Look, if you want to delete your own shoutbox message it is allowed. why bother what method or software was used? You can copy the link to delete it with tabs, zap, burp, etc etc. Doesn't matter. It is your own content. If you can delete other users shout messages then yes, I will reopen the issue. |
|
The issue here is I don't want to delete that message, but the attacker wants to delete them. Hence he/she makes use of the maliciously crafted HTML page to delete that message and the admin unintendedly deletes it on attackers behalf. This is a valid security vulnerability called Cross Site Request Forgery (CSRF) attack under OWASP, so the decision is upon you to fix it or not. As a responsible security researcher, I have discovered and notified you about the vulnerability, it is upon you to fix it or see this vulnerability being exploited in the wild by not fixing it. |
|
Hey, I agree that this seems to be a security issue. You have to imagine the following scenario:
I hope this helps you to understand the vulnerability and I also hope that this is what @oosman-rak is talking about. So it's not about you deleting your own messages but rather about you visiting a malicious site which then deletes your messages by forcing your browser to do stuff you do not want to do. |
Describe the bug
PHP-Fusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of shoutbox messages by the attacker on behalf of the logged in victim..
Version
PHP-Fusion version 9.03.90.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Screenshots
bandicam.2020-12-21.21-26-05-663.mp4
The text was updated successfully, but these errors were encountered: