Closed zxc7528064 closed 4 years ago
Thank you, we will provide a patch soon!
Mit freundlichen Grüßen Matthias Glienke
————————————————————————— https://blackcat-cms.org https://github.com/BlackCatDevelopment/BlackCatCMS —————————————————————————
info@blackcat-cms.org
Am 30.05.2020 um 23:29 schrieb Not_H notifications@github.com:
Hi ~ I find a CSRF Bypass Vulnerability ! Version : v1.3.6 Author : Noth(沈彧璿) Step 1 : go to backend/login/index.php Step 2 : Use burpsuite to intercept packets Step 3 : Generate PoC ( remove the csrf_token ==> "" ) Test Video : https://drive.google.com/file/d/1tfIPHocmoskX-9wc5rw_7kdX3lNmGpzG/view?usp=sharing https://drive.google.com/file/d/1tfIPHocmoskX-9wc5rw_7kdX3lNmGpzG/view?usp=sharing Bypass the csrf_token to login
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/BlackCatDevelopment/BlackCatCMS/issues/389, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKKHGTVJ6L246BW2T5QAMLRUF3CNANCNFSM4NO3Q7GQ.
@creativecat Thank you !
Token use is optional, is it set to on or off?
I do not see a high risk here. The user still needs valid account data for login.
Token can be bypassed, this is a problem
A token is generated in any case here, that doesn't mean it is used in any case, too. You will need to enable the check first. I will add a check for empty token, but ONLY if CSRFMagic is enabled.
@webbird Thanks you ,I got it
Anyway, the token is not being checked in any case, so we have to fix this.
Now we have a problem with valid login... :(
Do you already fix it ?
This is still work in progress. I am having a full time job. ;)
xD Ok ! @webbird if the security problem is fixed ,please tell me !
Should work now, will have to do some testing...
"Add page" does not work now...
Da ich einige Probleme mit csrf-magic habe und es zudem auch nicht mehr gepflegt wird, teste ich derzeit die Integration eines anderen Moduls. Das wird noch etwas dauern.
Since I have some problems with csrf-magic and it is no longer maintained, I am currently testing the integration of another module. This will take some time.
Ok ! @webbird Just fix it slowly
Best Regards
Issue "fixed" by removing CSRF Token. V1.4 will use same site cookies instead.
@webbird Thanks you .
Affected software: BlackCat CMS
Type of vulnerability: CSRF (Cross-Site Request Forgery)
Discovered by: Noth
Author: Noth
Version : v.1.3.6
Description: BlackCat CMS is vulnerable to persistent Cross-Site Request Forgery attacks, which allow malicious users to inject HTML or scripts and forge user permissions to operate .
Vulnerable URL: http://127.0.0.1/blackcatcms-release/backend/login/index.php
Step 1 : go to backend/login/index.php
Step 2 : Use burpsuite to intercept packets
Step 3 : Generate PoC ( remove the csrf_token ==> "" )
Test Video : https://drive.google.com/file/d/1tfIPHocmoskX-9wc5rw_7kdX3lNmGpzG/view?usp=sharing
Bypass the csrf_token to login