Vulnerability:
Cross-Site Request Forgery CSRF attack on profile update
Impact:
Account Take Over
The changing of password requires the knowledge of the current password, this
prevents simplified account take over.
It is still possible to perform an account take over through CSRF attack as
it is possible to change the email of the user without knowing
the current password.
By changing the email, the attacker is able to perform a account reset :)
Vulnerability Description:
It is discovered that state changing requests, such as updating of profile:
POST /profile/
contains a parameter __st that holds a unqiue value to act as a CSRF prevention
However this value is not validated on the server side and thus it is possible
to perform a CSRF attack.
Steps to Reproduce:
Craft a .html file that contains the CSRF attack POST request.
Please change the http://172.16.6.167 to your own hosted IP address.
The value of fullname does not matter. The important parameter here is email.
Please note that for demonstration purpose, clicking on "Submit request" is
required. A real attack does not require a victim to click on any buttons, as
it is possible to auto submit POST request when a page is loaded
Affected Software
Subrion Open Source CMS
https://subrion.org
https://github.com/intelliants/subrion
Version Tested
4.1.5 - Latest Stable version June 26, 2017
https://subrion.org/download/
Environment Tested
Ubuntu 16.04
PHP 7.0
Vulnerability and Impact
Vulnerability:
Cross-Site Request Forgery CSRF attack on profile update
Impact:
Account Take Over
The changing of password requires the knowledge of the current password, this
prevents simplified account take over.
It is still possible to perform an account take over through CSRF attack as
it is possible to change the email of the user without knowing
the current password.
By changing the email, the attacker is able to perform a account reset :)
Vulnerability Description:
It is discovered that state changing requests, such as updating of profile:
contains a parameter __st that holds a unqiue value to act as a CSRF prevention
However this value is not validated on the server side and thus it is possible
to perform a CSRF attack.
Steps to Reproduce:
Craft a .html file that contains the CSRF attack POST request.
Please change the http://172.16.6.167 to your own hosted IP address.
The value of fullname does not matter. The important parameter here is email.
Please note that for demonstration purpose, clicking on "Submit request" is
required. A real attack does not require a victim to click on any buttons, as
it is possible to auto submit POST request when a page is loaded
Refer to the screenshot attached. The entire __st is removed and the state-

changing request to update the profile still works.
Recommendation:
Validate the CSRF token
Consider implementing changing of email to require the current password
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
The text was updated successfully, but these errors were encountered: