Full CSRF Bypass in unilogies/bumsys


Reported on

Mar 1st 2023


The intended way to reach functionality in $module/ajax.php is through the /xhr endpoint.

Looking at the following code:


    if( ($pageSlug === "xhr" or $pageSlug === "info") and ( !isset($_SERVER["HTTP_X_CSRF_TOKEN"]) or (isset($_SERVER["HTTP_X_CSRF_TOKEN"]) and $_SERVER["HTTP_X_CSRF_TOKEN"] !== $_SESSION["csrf_token"] ) )  ) {
        header('HTTP/1.0 403 Forbidden');
        die("<strong>Error:</strong> You have no permission to access this server.");


We see that if and only if the $pageSlug contains xhr or info, the CSRF token is actually checked.

The general routing logic is as follows: when making a GET or POST request to /$module/$action, the file /module/$module/$action is included. Because the ajax.php file is in each module's directory, for example module/accounts/ajax.php.

We can reach the code in ajax.php directly with the route http://bumsys.local/accounts/ajax and thus completely bypassing the CSRF check.


Make a GET request to for example http://bumsys.local/accounts/ajax?page=accountList to reach ajax.php code without the CSRF token.


Since this is a complete CSRF bypass, every endpoint is vulnerable to CSRF attacks, this could be leveraged to create a new admin account amongst other things.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. 3 months ago
Khurshid Alam validated this vulnerability 3 months ago
TsarSec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Khurshid Alam
3 months ago


Opps. You are really legend. Thank you man.

Khurshid Alam marked this as fixed in 2.1.1 with commit 86e29d a month ago
Khurshid Alam has been awarded the fix bounty
This vulnerability will not receive a CVE
Khurshid Alam published this vulnerability a month ago
Khurshid Alam
a month ago


@admin, please assign a CVE.

23 days ago


on it

to join this conversation