Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Multiple Security Issue of CSRF at Few Parameters #275
#' Exploit Title: Multiple Security Issue of CSRF at Few Parameters
As quoted from the official site of BigTree CMS, BigTree CMS is an open source content management system built on PHP and MySQL. It was created by – and for – user experience and content strategy experts. BigTree’s user system is designed for a single webmaster or large distributed teams. Users can be editors or publishers of a single page or the entire site.
2.1. Cross Site Request Forgery (CSRF)
Generally, CSRF is an attack that “forces” a user to do something that is basically “unwanted” in a web based application by utilizing the circumstance of the victim that is being authorized (login). In general, this kind of attack could be used because the absence of authentication process in doing a change or the absence of unique token that can allowed to process the related matter (the uniqueness of the token is usually given so the user wouldn’t be troubled by typing password to changes that are not quite significant).
In this situation, the problem related lack of CSRF token could be found at a few features such as Colophon Changing (like a feature to change a web footer easily), User Deletion, and Navigation Social Changing (changing the URL to the malicious one).
Please kindly note, as we learn a few things at BigTree CMS, we found that the protection is given with the needs of “Referrer” header of the HTTP/S Request. For example, when we tried to do a PoC of CSRF at the “Added User” Feature, the feature needs the “Referrer” parameter to “completely finishing” the PoC. But at those 3 (three) mentioned feature, the protection is not given yet.
2.2. Colophon Feature
In simple, this feature allows the users to write their own footer at the sidebar. By default, the value of Colophon is "Built on BigTree CMS" with embedded URL at the Product Name.
2.3. Nav-Soc Feature (Navigation Social)
The feature allows the users to put their own social network with the provided URL and logos to the sidebar that exist at the application.
III. Summary of Issue
As it has been delivered before, the security problem in this report has a relation with “Lack of CSRF Token” at separated parameter that could affects some changes like:
IV. Information and Situation of this PoC
To be able to understand the existed problem, this section will be re-explaining the problem specifically about some information which is related to the general running process or even the root of the existed problem.
V. Additional Information
5.1. For completing the explanation, the PoCs explanation are completed by the videos (Unlisted at Youtube, provided at document and via direct email to Tim);
6.1. PCI DSS v3.2 point 6.5.9 (for CSRF);
Thank you, Yoko!
We've implemented a (hopefully) comprehensive cross-site request forgery token solution that should address the noted areas of weakness as well as many more niche areas as well beginning with this commit and ending with this commit. These will be rolled out next week in the 4.2.17 release.
As the 4.1 branch has reached end of life (including security updates) that branch will not receive the CSRF token solution.
Let me know if you have any questions!
Thank you so much for the update. And glad to know the fixes will come so fast.
Just a footnote for readers and users: Tim has replied the 1st report (via email) in less than 6 hours. A really fast response for the reported issue that's not really critical.