CSRF Attack On Change Password!

[TusharKdm]

Hi Team,
The application is vulnerable to CSRF attack.
Affected Application Version: Subrion CMS 4.1.5

The attacker can change the administrator password by sending a crafted request to the application on change password field.
The application is not validating the source origin of the request is coming from also CSRF token is not implemented.

Proof of concept as given below

1. Crafted Code of Change Password of Administrator User.

2. Crafted Request to Change the Password of Administrator.

3. The Password is Changed Successfully.

Recommendation:

1. Implement CSRF Token.
2. Validate the Source Origin

When you fix the bug, please, can you include my name in the release notes when the bug will be corrected?
Name : Tushar Kadam
Email : [email protected]

Thank you.

[ghost]

Hi @TusharKdm!

Thanks for your report.

Regarding your recommendations, please kindly be informed that the issue has already been fixed in upcoming 4.2.0 version. Solution meets both of your recommendations: Implement CSRF Token and Validate the Source Origin.

Here an important thing should be noted. As per shown in your POC, you changed the password being logged in as Superadministrator user. No any regular user or even user having moderator privileges may not change the data of other users. Definitely, there should be an understanding that attach of such type makes no sense in real life.

[TusharKdm]

Ok Great you have already closed the issue.

FYI,
CSRF attack only possible when a user is logged in to the application,
so the attacker can create crafted request and can send this crafted request to the user via mail or any source then unfortunately if the admin user clicked on the request then the attacker can change the password of that admin user.

Thank you.