CSRF protection to front end and CSRF protection on GET to admin control panel #1576

Closed
abrookbanks opened this Issue Apr 7, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@abrookbanks
Member

abrookbanks commented Apr 7, 2017

  • CSRF in managing customer newsletter subscription
    Description: This enables an attacker to force users to
    subscribe/unsubscribe to newsletters.
    URL: /index.php?_a=newsletter&action=subscribe|unsubscribe

  • CSRF in changing profile information of customers
    Description: When a customer changes their profile information, a POST
    request is sent without a token taht verifies that the action originated
    from the logged in user.
    URL: /index.php?_a=profile

  • Reflected XSS against customers in the addressbook area
    Description: The "redir" GET parameter is not well processed before being
    reflected into a link, causing reflected XSS.
    URL: /index.php?_a=addressbook&action=edit&redir="onmouseover="alert(1)
    Hovering over the red "Cancel" button triggers the alert box

  • Reflected XSS against customers in the contact us form
    Description: The contact us page doesn't sanitized it's input when
    reflecting it again in the page if an error occured, such as incorrect
    captcha input.
    URL: /index.php?_a=contact

  • Stored XSS against admins by customer's information
    Description: The "Title", "First Name", and "Last Name" fields of the
    customers are reflected into the admin's panel when they try to view the
    customers of the web app without proper sanitization.
    URL: /index.php?_a=profile

The following issues require the knowledge of the exact administrators'
page's name as it contains a 6 character hash. FOLDER refers to an
arbitrary folder name, and ID refers to an arbitrary id value:

  • Directory traversal allows for DoS by deleting folders
    Description: A directory traversal in the folder deletion function allows
    for deleting folders outside the /images/source directory, allowing for
    Denial of Service by deleting the whole root directory of the web
    application and possible more improtant files on the server if proper
    permissions were set.
    URL: admin_xxxxxx.php?_g=filemanager&mode=xss&delete=../../FOLDER

  • CSRF in admin users deletion including the website's super user
    Description: This enables an attacker to force administrators to delete any
    user, including the main admin even if they're the ones logged in.
    URL: admin_xxxxxx.php?_g=settings&node=admins&action=delete&admin_id=ID

  • CSRF in file deletion
    Description: This enables an attacker to force administrators to delete
    files.
    URL: admin_xxxxxx.php?_g=filemanager&node=index&delete=ID

  • CSRF in country and zone deletion
    Description: This enables an attacker to force administrators to delete
    countries and zones.
    URL: admin_xxxxxx.php?_g=settings&node=geo&page-country=1&page-
    zone=2&delete=country&id=ID
    admin_xxxxxx.php?_g=settings&node=geo&page-country=1&page-
    zone=2&delete=zone&id=ID

  • Reflected XSS in reports
    Description: A reflected XSS exists because the "report[date][to]" and
    "report[date][from]" GET parameters are not well sanitized before being
    reflected into the page.
    URL: admin_xxxxxx.php?_g=reports&report[date][from]="
    onmouseover="alert(1)&report[date][to]="onmouseover="alert(1)

Lots of similar CSRF issues across the web application exist. Nearly all
the delete functions are implemented using GET requests without a nonce
being sent along with the request.

@Dirty-Butter

This comment has been minimized.

Show comment
Hide comment
@Dirty-Butter

Dirty-Butter Apr 9, 2017

Not sure if this is related:
On Mailing List - checkbox allows an email address to be deleted, but the trashcan icon delete causes the CSRF no matter if I refresh before attempting. So the email address will not delete via icon.

I tried going back to 6.1.5 for customers.subscribers.php and customers.subscribers.inc.php, but still CSRF for delete icon.

Tried the same thing with deleting a test order, with same result - checkbox worked - garbage can causes CSRF.

Dirty-Butter commented Apr 9, 2017

Not sure if this is related:
On Mailing List - checkbox allows an email address to be deleted, but the trashcan icon delete causes the CSRF no matter if I refresh before attempting. So the email address will not delete via icon.

I tried going back to 6.1.5 for customers.subscribers.php and customers.subscribers.inc.php, but still CSRF for delete icon.

Tried the same thing with deleting a test order, with same result - checkbox worked - garbage can causes CSRF.

abrookbanks added a commit that referenced this issue Apr 10, 2017

abrookbanks added a commit that referenced this issue Apr 10, 2017

@abrookbanks

This comment has been minimized.

Show comment
Hide comment
@abrookbanks

abrookbanks Apr 11, 2017

Member

Certainly a few issues I missed the AJAX functions of the email validation..

Member

abrookbanks commented Apr 11, 2017

Certainly a few issues I missed the AJAX functions of the email validation..

abrookbanks added a commit that referenced this issue Apr 18, 2017

@abrookbanks abrookbanks added this to the 6.1.6 milestone Apr 18, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment