Skip to content

Multiple Security Issue of CSRF at Few Parameters #275

Closed
@yokokho

Description

@yokokho

#' Exploit Title: Multiple Security Issue of CSRF at Few Parameters
#' Vulnerability Type: Cross-Site Request Forgery (CAPEC-62, CWE-352)
#' Reporting Date: 14-03-2017
#' Author: @yokoacc, @rungga_reksya, @DvNrCy
#' Vendor Homepage: https://www.bigtreecms.org/
#' Software Link: https://github.com/bigtreecms
#' Version: v.4.1.18 and v.4.2.16

I. Abstract

As quoted from the official site of BigTree CMS, BigTree CMS is an open source content management system built on PHP and MySQL. It was created by – and for – user experience and content strategy experts. BigTree’s user system is designed for a single webmaster or large distributed teams. Users can be editors or publishers of a single page or the entire site.

II. Introduction

2.1. Cross Site Request Forgery (CSRF)

Generally, CSRF is an attack that “forces” a user to do something that is basically “unwanted” in a web based application by utilizing the circumstance of the victim that is being authorized (login). In general, this kind of attack could be used because the absence of authentication process in doing a change or the absence of unique token that can allowed to process the related matter (the uniqueness of the token is usually given so the user wouldn’t be troubled by typing password to changes that are not quite significant).

In this situation, the problem related lack of CSRF token could be found at a few features such as Colophon Changing (like a feature to change a web footer easily), User Deletion, and Navigation Social Changing (changing the URL to the malicious one).

Please kindly note, as we learn a few things at BigTree CMS, we found that the protection is given with the needs of “Referrer” header of the HTTP/S Request. For example, when we tried to do a PoC of CSRF at the “Added User” Feature, the feature needs the “Referrer” parameter to “completely finishing” the PoC. But at those 3 (three) mentioned feature, the protection is not given yet.

2.2. Colophon Feature

In simple, this feature allows the users to write their own footer at the sidebar. By default, the value of Colophon is "Built on BigTree CMS" with embedded URL at the Product Name.

2.3. Nav-Soc Feature (Navigation Social)

The feature allows the users to put their own social network with the provided URL and logos to the sidebar that exist at the application.

III. Summary of Issue

As it has been delivered before, the security problem in this report has a relation with “Lack of CSRF Token” at separated parameter that could affects some changes like:
3.1. Deleting the Registered User (both of v.4.2.16 and v.4.1.18);
3.2. Change the Colophon Information (both of v.4.2.16 and v.4.1.18); and
3.3. Change the Navigation Social (both of v.4.2.16 and v.4.1.18).

IV. Information and Situation of this PoC

To be able to understand the existed problem, this section will be re-explaining the problem specifically about some information which is related to the general running process or even the root of the existed problem.
4.1. Deleting the Registered User with CSRF (Provided at Document);
4.2. Change the Colophon with CSRF (Provided at Document);
4.3. Change the Navigation Social with CSRF (Provided at Document).

V. Additional Information

5.1. For completing the explanation, the PoCs explanation are completed by the videos (Unlisted at Youtube, provided at document and via direct email to Tim);
5.2. And also the script that could be used to execute the PoC (provided at Document and via direct email to Tim).

VI. References

6.1. PCI DSS v3.2 point 6.5.9 (for CSRF);
6.2. CAPEC-62: Cross Site Request Forgery - https://capec.mitre.org/data/definitions/62.html;
6.3. CWE-352: Cross-Site Request Forgery - https://cwe.mitre.org/data/definitions/352.html;
6.4. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF);
6.5. https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF).

VII. Document:

BigTree - Multiple Issue of CSRF that could Illegally Few Data Changes v02.pdf

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions