Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF attack leads to deletion of shoutbox messages #2347

Closed
oosman-rak opened this issue Dec 21, 2020 · 11 comments
Closed

CSRF attack leads to deletion of shoutbox messages #2347

oosman-rak opened this issue Dec 21, 2020 · 11 comments

Comments

@oosman-rak
Copy link

oosman-rak commented Dec 21, 2020

Describe the bug
PHP-Fusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of shoutbox messages by the attacker on behalf of the logged in victim..

Version
PHP-Fusion version 9.03.90.

To Reproduce
Steps to reproduce the behavior:

  1. Go to 'https://v9.demos.php-fusion.co.uk/home.php'
  2. Login using Demo credentials.
  3. Create any random shoutbox message post logging into the application.
  4. Now create an HTML form which performs the expected operation of deleting the shoutbox message. The one like below.
<html>
    <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://v9.demos.php-fusion.co.uk/infusions/shoutbox_panel/shoutbox_archive.php">
      <input type="hidden" name="s&#95;action" value="delete" />
      <input type="hidden" name="shout&#95;id" value="3" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
  1. Save the above code as html.
  2. Now, re-login into the application.
  3. Open the above html file in the same browser in which we are logged in.
  4. Click on submit request and observe the shoutbox message gets deleted.
  5. The attacker can change shout_id to different value and observe that all the shoutbox messages of the logged in user can be deleted.

Expected behavior

  1. Implement an anti-CSRF token which is random and changes/destroys after it is used once.
  2. Include this anti-CSRF token it in the POST body whenever the user deletes/performs any state changing requests.

Screenshots

bandicam.2020-12-21.21-26-05-663.mp4
@oosman-rak
Copy link
Author

@FrederickChan @RobiNN1 any updates on this?

@oosman-rak oosman-rak changed the title CSRF attack leads to deletion of shoutbox messages CSRF attack leads to deletion of All shoutbox messages Jan 4, 2021
@oosman-rak oosman-rak changed the title CSRF attack leads to deletion of All shoutbox messages CSRF attack leads to deletion of shoutbox messages Jan 5, 2021
@oosman-rak
Copy link
Author

Hi @RobiNN1 @FrederickChan ,

Any updates on this vulnerability.

Thanks,
Mohamed Oosman B S

@oosman-rak
Copy link
Author

Hi @RobiNN1 @FrederickChan @JoakimFalk ,

Any updates or details on this issue like when and how you are planning to fix this?

I can help in details of how to fix this if you want me to. Awaiting for your response.

Thanks,
Mohamed Oosman B S

@FrederickChan
Copy link
Member

FrederickChan commented Jan 14, 2021

You can delete your own shout messages by default, by using any kinds of tools, not necessarily a browser. This is non faulty. A simple link can remove his or her own shout messages.

@oosman-rak
Copy link
Author

@FrederickChan ,

Yeah, so that exactly is a concern. There is no anti-csrf token implemented in this form like you have fusion_token in other forms which lead to such action.

So in the video I have demonstrated that as an attacker I can create an HTML and pass it on to a logged in admin user. Thus the admin user upon clicking the submit button, leads to unintended action of deleting a particular message (which the admin actually didn't want to). Hence, this is a valid issue. Kindly refer below link as an example to understand this vulnerability:
https://portswigger.net/web-security/csrf

It is a valid vulnerability, thus request you to re-open it and fix this.

@oosman-rak
Copy link
Author

@FrederickChan @RobiNN1
Let me explain you through an example:

You are a logged in admin user using the PHP-Fusion CMS normally as you do in your day-to-day task. I am a normal user who is also a user of PHP-Fusion CMS of the same company.

Now I see a shout message, that you have posted and as a normal user I don't like this shoutbox message and I want to delete it without your knowledge. But as i am a normal user I cannot delete it and this intended action can only be performed by you, as you are the admin

So I create a maliciously crafted HTML page as i have mentioned in my description and send it across to you through some communication medium such as mail.

You as a logged in user open this HTML page and you click the submit button. Hence, after this action is performed you observe that even though you didn't intend to delete the shoutbox message, you observe that it is deleted.

So, this vulnerability of performing an malicious action on behalf is known as CSRF.

Hope I am clear now. If you are still confused and want to know how to fix such issues throughout the application, you can refer these links:

https://portswigger.net/web-security/csrf
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

Regards,
Mohamed Oosman B S

@oosman-rak
Copy link
Author

@FrederickChan @RobiNN1

To fix this vulnerability, what you can do is perform the deletion message action using POST HTTP method with some anti-csrf token such as Fusion_token implemented. Make sure that this token is not reusable, sufficiently long, random, non-guessable.

More info on best practice to mitigate this vulnerability can be found here:
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

Regards,
Mohamed Oosman B S

@FrederickChan
Copy link
Member

Look, if you want to delete your own shoutbox message it is allowed. why bother what method or software was used? You can copy the link to delete it with tabs, zap, burp, etc etc. Doesn't matter. It is your own content.

If you can delete other users shout messages then yes, I will reopen the issue.

@oosman-rak
Copy link
Author

oosman-rak commented Jan 14, 2021

@FrederickChan @RobiNN1

The issue here is I don't want to delete that message, but the attacker wants to delete them. Hence he/she makes use of the maliciously crafted HTML page to delete that message and the admin unintendedly deletes it on attackers behalf.

This is a valid security vulnerability called Cross Site Request Forgery (CSRF) attack under OWASP, so the decision is upon you to fix it or not. As a responsible security researcher, I have discovered and notified you about the vulnerability, it is upon you to fix it or see this vulnerability being exploited in the wild by not fixing it.

@zsh-lgtm
Copy link

zsh-lgtm commented Jan 14, 2021

@LorenzNickel
Copy link

Hey,

I agree that this seems to be a security issue.

You have to imagine the following scenario:

  1. User logs in on the vulnerable site
  2. User creates a shoutbox message
  3. User visits malicious site while being logged in on the vulnerable site
  4. The malicious site forces the user's browser to perform a request to the vulnerable site (feasible even without user interaction) => Cross-Site-Request
  5. The vulnerable site receives the authenticated call from the user's browser and deletes the shoutbox message as requested
  6. The shoutbox message has been deleted without the user's consent or them even knowing about it because their browser has sent a request in the background

I hope this helps you to understand the vulnerability and I also hope that this is what @oosman-rak is talking about.

So it's not about you deleting your own messages but rather about you visiting a malicious site which then deletes your messages by forcing your browser to do stuff you do not want to do.

FrederickChan added a commit that referenced this issue Jan 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants