CSRF attack used to change user's email, thus blocking its access to the application. in squidex/squidex

Valid

Reported on

Jan 26th 2023


Description

The application lacks protection against Cross-Site Request Forgery (CSRF) because it fails to verify the implementation of the CSRF Token.

For example, if a victim visits the following site (crafted by the attacker) while logged in at the target application, the browser will issue the request (under the victim's context):

This request results in a change in the victim's registered email into an email that the attacker chooses, thus making the victim unable to login using their previous credentials.

Proof of Concept

The image below shows the poc needed to change the credentials:

https://drive.google.com/file/d/1Wvj8BlXlRs64N96tu6lNZSf71Hn5bjYM/view

The next image is the unchanged email address:

https://drive.google.com/file/d/1nCl1CVY87W_H8mfh9v14k2aF67HmqNFV/view

The below images shows the changed request and the browser behaviour:

https://drive.google.com/file/d/1eX8DKK4YaRBhHp4SVHfTarlG7qZLoX_x/view

https://drive.google.com/file/d/1AkdJkOh8CQtGIZKtS9gSyvGLe811cFLO/view

The next image shows the user being unable to login with their previous credentials:

https://drive.google.com/file/d/1xgyOHLLUP2PYxHm-7t7-79vjVZHHXToC/view

Impact

This vulnerability is capable of denying a valid user its access to the application.

We are processing your report and will contact the squidex team within 24 hours. a year ago
f13371y modified the report
a year ago
We have contacted a member of the squidex team and are waiting to hear back a year ago
Sebastian Stehle validated this vulnerability a year ago
f13371y has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Sebastian Stehle marked this as fixed in 7.4.0 with commit 2da3c4 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation