ChurchCRM / CRM

ChurchCRM is an OpenSource Church CRM & Management Software.
https://ChurchCRM.io
MIT License
638 stars 447 forks source link

Cross-Site Request Forgery (CSRF) vulnerability in Change Password functionality #6448

Open gulivindala opened 1 year ago

gulivindala commented 1 year ago

On what page in the application did you find this issue?

http://192.168.0.103/churchcrm/v2/user/2/changePassword

On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?

windows/xampp

What browser (and version) are you running?

firefox

What version of PHP is the server running?

7.4.27

What version of SQL Server are you running?

7.4.27

What version of ChurchCRM are you running?

4.5.3

Severity: High

Description:

A CSRF vulnerability was discovered in the Change Password functionality of the application, which could allow an attacker to change the password of any user without their knowledge or consent. The vulnerability is due to insufficient CSRF protection on the POST request used to change the password.

Impact:

An attacker can create a malicious website or a crafted HTML email, that when accessed by a victim who is authenticated in the application, will trigger an unauthorized password change. The attacker can craft a POST request with the necessary parameters and submit it through the victim's browser, leveraging the victim's session and authentication to execute the unauthorized action.

Affected Component:

POST /churchcrm/v2/user/2/changePassword

Technical Details:

The vulnerability is caused by the lack of CSRF tokens or other CSRF protections on the POST request used to change the password. As a result, an attacker can submit a crafted POST request to the application, which will be processed by the server as a legitimate request coming from an authenticated user.

Proof of Concept (PoC):

An attacker can create a simple HTML page that will submit the following POST request to the vulnerable endpoint:

<html>
  <body>
    <form action="http://192.168.0.103/churchcrm/v2/user/2/changePassword" method="POST">
      <input type="hidden" name="NewPassword1" value="hacked123">
      <input type="hidden" name="NewPassword2" value="hacked123">
      <input type="submit" value="Submit">
    </form>
  </body>
</html>

When the victim accesses this page while being authenticated in the application, the POST request will be sent with the victim's session and authentication information, causing the victim's password to be changed to the attacker's chosen password.

Remediation:

To fix this vulnerability, the application should implement a strong CSRF protection mechanism that includes generating unique tokens for each user session and verifying those tokens on every POST request that modifies sensitive user data, such as changing passwords. Additionally, the application should avoid using GET requests to perform actions that modify state, such as changing a password, as this could expose the application to other types of attacks.

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] commented 11 months ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] commented 11 months ago

This issue was closed because it has been stalled for 15 days with no activity.

github-actions[bot] commented 9 months ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] commented 8 months ago

This issue was closed because it has been stalled for 15 days with no activity.

github-actions[bot] commented 1 month ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] commented 2 weeks ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.