Full CSRF Bypass in unilogies/bumsys

Valid

Reported on

Mar 1st 2023


Description

The intended way to reach functionality in $module/ajax.php is through the /xhr endpoint.

Looking at the following code:

https://github.com/unilogies/bumsys/blob/83bd788c21ce390f62e34ab6755a3e61c106418c/core/route.php#L43-L48

    if( ($pageSlug === "xhr" or $pageSlug === "info") and ( !isset($_SERVER["HTTP_X_CSRF_TOKEN"]) or (isset($_SERVER["HTTP_X_CSRF_TOKEN"]) and $_SERVER["HTTP_X_CSRF_TOKEN"] !== $_SESSION["csrf_token"] ) )  ) {
        
        header('HTTP/1.0 403 Forbidden');
        die("<strong>Error:</strong> You have no permission to access this server.");

    }

We see that if and only if the $pageSlug contains xhr or info, the CSRF token is actually checked.

The general routing logic is as follows: when making a GET or POST request to /$module/$action, the file /module/$module/$action is included. Because the ajax.php file is in each module's directory, for example module/accounts/ajax.php.

We can reach the code in ajax.php directly with the route http://bumsys.local/accounts/ajax and thus completely bypassing the CSRF check.

PoC

Make a GET request to for example http://bumsys.local/accounts/ajax?page=accountList to reach ajax.php code without the CSRF token.

Impact

Since this is a complete CSRF bypass, every endpoint is vulnerable to CSRF attacks, this could be leveraged to create a new admin account amongst other things.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. 2 months ago
Khurshid Alam validated this vulnerability 2 months ago
TsarSec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Khurshid Alam
2 months ago

Maintainer


Opps. You are really legend. Thank you man.

Khurshid Alam marked this as fixed in 2.1.1 with commit 86e29d 16 days ago
Khurshid Alam has been awarded the fix bounty
This vulnerability will not receive a CVE
Khurshid Alam published this vulnerability 16 days ago
Khurshid Alam
16 days ago

Maintainer


@admin, please assign a CVE.

Pavlos
9 days ago

Admin


on it

to join this conversation