Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple Security Issue of CSRF at Few Parameters #275

Closed
yokokho opened this issue Mar 15, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@yokokho
Copy link

commented Mar 15, 2017

#' Exploit Title: Multiple Security Issue of CSRF at Few Parameters
#' Vulnerability Type: Cross-Site Request Forgery (CAPEC-62, CWE-352)
#' Reporting Date: 14-03-2017
#' Author: @yokoacc, @rungga_reksya, @dvnrcy
#' Vendor Homepage: https://www.bigtreecms.org/
#' Software Link: https://github.com/bigtreecms
#' Version: v.4.1.18 and v.4.2.16

I. Abstract

As quoted from the official site of BigTree CMS, BigTree CMS is an open source content management system built on PHP and MySQL. It was created by – and for – user experience and content strategy experts. BigTree’s user system is designed for a single webmaster or large distributed teams. Users can be editors or publishers of a single page or the entire site.

II. Introduction

2.1. Cross Site Request Forgery (CSRF)

Generally, CSRF is an attack that “forces” a user to do something that is basically “unwanted” in a web based application by utilizing the circumstance of the victim that is being authorized (login). In general, this kind of attack could be used because the absence of authentication process in doing a change or the absence of unique token that can allowed to process the related matter (the uniqueness of the token is usually given so the user wouldn’t be troubled by typing password to changes that are not quite significant).

In this situation, the problem related lack of CSRF token could be found at a few features such as Colophon Changing (like a feature to change a web footer easily), User Deletion, and Navigation Social Changing (changing the URL to the malicious one).

Please kindly note, as we learn a few things at BigTree CMS, we found that the protection is given with the needs of “Referrer” header of the HTTP/S Request. For example, when we tried to do a PoC of CSRF at the “Added User” Feature, the feature needs the “Referrer” parameter to “completely finishing” the PoC. But at those 3 (three) mentioned feature, the protection is not given yet.

2.2. Colophon Feature

In simple, this feature allows the users to write their own footer at the sidebar. By default, the value of Colophon is "Built on BigTree CMS" with embedded URL at the Product Name.

2.3. Nav-Soc Feature (Navigation Social)

The feature allows the users to put their own social network with the provided URL and logos to the sidebar that exist at the application.

III. Summary of Issue

As it has been delivered before, the security problem in this report has a relation with “Lack of CSRF Token” at separated parameter that could affects some changes like:
3.1. Deleting the Registered User (both of v.4.2.16 and v.4.1.18);
3.2. Change the Colophon Information (both of v.4.2.16 and v.4.1.18); and
3.3. Change the Navigation Social (both of v.4.2.16 and v.4.1.18).

IV. Information and Situation of this PoC

To be able to understand the existed problem, this section will be re-explaining the problem specifically about some information which is related to the general running process or even the root of the existed problem.
4.1. Deleting the Registered User with CSRF (Provided at Document);
4.2. Change the Colophon with CSRF (Provided at Document);
4.3. Change the Navigation Social with CSRF (Provided at Document).

V. Additional Information

5.1. For completing the explanation, the PoCs explanation are completed by the videos (Unlisted at Youtube, provided at document and via direct email to Tim);
5.2. And also the script that could be used to execute the PoC (provided at Document and via direct email to Tim).

VI. References

6.1. PCI DSS v3.2 point 6.5.9 (for CSRF);
6.2. CAPEC-62: Cross Site Request Forgery - https://capec.mitre.org/data/definitions/62.html;
6.3. CWE-352: Cross-Site Request Forgery - https://cwe.mitre.org/data/definitions/352.html;
6.4. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF);
6.5. https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF).

VII. Document:

BigTree - Multiple Issue of CSRF that could Illegally Few Data Changes v02.pdf

@timbuckingham

This comment has been minimized.

Copy link
Collaborator

commented Mar 17, 2017

Thank you, Yoko!

We've implemented a (hopefully) comprehensive cross-site request forgery token solution that should address the noted areas of weakness as well as many more niche areas as well beginning with this commit and ending with this commit. These will be rolled out next week in the 4.2.17 release.

As the 4.1 branch has reached end of life (including security updates) that branch will not receive the CSRF token solution.

Let me know if you have any questions!

@timbuckingham timbuckingham added the bug label Mar 17, 2017

@timbuckingham timbuckingham added this to the 4.2.17 milestone Mar 17, 2017

@yokokho

This comment has been minimized.

Copy link
Author

commented Mar 22, 2017

Hi Tim,

Thank you so much for the update. And glad to know the fixes will come so fast.

Just a footnote for readers and users: Tim has replied the 1st report (via email) in less than 6 hours. A really fast response for the reported issue that's not really critical.

Thanks Tim!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.