CSRF Bypass v1.3.6

[zxc7528064]

Affected software: BlackCat CMS

Type of vulnerability: CSRF (Cross-Site Request Forgery)

Discovered by: Noth

Author: Noth

Version : v.1.3.6

Description: BlackCat CMS is vulnerable to persistent Cross-Site Request Forgery attacks, which allow malicious users to inject HTML or scripts and forge user permissions to operate .

Vulnerable URL: http://127.0.0.1/blackcatcms-release/backend/login/index.php

Step 1 : go to backend/login/index.php

Step 2 : Use burpsuite to intercept packets

Step 3 : Generate PoC ( remove the csrf_token ==> "" )

Test Video : https://drive.google.com/file/d/1tfIPHocmoskX-9wc5rw_7kdX3lNmGpzG/view?usp=sharing

Bypass the csrf_token to login

[creativecat]

Thank you, we will provide a patch soon!

Mit freundlichen Grüßen Matthias Glienke

————————————————————————— https://blackcat-cms.org https://github.com/BlackCatDevelopment/BlackCatCMS —————————————————————————

info@blackcat-cms.org

Am 30.05.2020 um 23:29 schrieb Not_H notifications@github.com:

Hi ~ I find a CSRF Bypass Vulnerability ! Version : v1.3.6 Author : Noth(沈彧璿) Step 1 : go to backend/login/index.php Step 2 : Use burpsuite to intercept packets Step 3 : Generate PoC ( remove the csrf_token ==> "" ) Test Video : https://drive.google.com/file/d/1tfIPHocmoskX-9wc5rw_7kdX3lNmGpzG/view?usp=sharing https://drive.google.com/file/d/1tfIPHocmoskX-9wc5rw_7kdX3lNmGpzG/view?usp=sharing Bypass the csrf_token to login

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/BlackCatDevelopment/BlackCatCMS/issues/389, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKKHGTVJ6L246BW2T5QAMLRUF3CNANCNFSM4NO3Q7GQ.

[zxc7528064]

@creativecat Thank you !

[webbird]

Token use is optional, is it set to on or off?
I do not see a high risk here. The user still needs valid account data for login.

[zxc7528064]

Token can be bypassed, this is a problem

[webbird]

A token is generated in any case here, that doesn't mean it is used in any case, too. You will need to enable the check first. I will add a check for empty token, but ONLY if CSRFMagic is enabled.

[zxc7528064]

@webbird Thanks you ，I got it

[webbird]

Anyway, the token is not being checked in any case, so we have to fix this.

[webbird]

Now we have a problem with valid login... :(

[zxc7528064]

Do you already fix it ?

[webbird]

This is still work in progress. I am having a full time job. ;)

[zxc7528064]

xD Ok ! @webbird if the security problem is fixed ，please tell me !

[webbird]

Should work now, will have to do some testing...

[webbird]

"Add page" does not work now...

[webbird]

Da ich einige Probleme mit csrf-magic habe und es zudem auch nicht mehr gepflegt wird, teste ich derzeit die Integration eines anderen Moduls. Das wird noch etwas dauern.

Since I have some problems with csrf-magic and it is no longer maintained, I am currently testing the integration of another module. This will take some time.

https://github.com/mebjas/CSRF-Protector-PHP

[zxc7528064]

Ok ! @webbird Just fix it slowly

Best Regards

[webbird]

Issue "fixed" by removing CSRF Token. V1.4 will use same site cookies instead.

[zxc7528064]

@webbird Thanks you .