CSRF on SSL certificates deletion in froxlor/froxlor

Valid

Reported on

Nov 4th 2022


šŸ“œ Description

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform (using form submissions). It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

In your application, CSRF vulnerability occurs when an administrator click on the malicious link and logs in.

šŸ•µļø Proof of Concept

  1. Send a malicious link or redirect the admin to : https://demo.froxlor.org/index.php?script=admin_domains.php&qrystr=%26page%3Dsslcertificates%26action%3Ddelete%26id%3D1 (id=1).
  2. The admin logs in and automatically delete the SSL certificate with the ID nĀ°1.

šŸ” Mitigations

The most robust way to defend against CSRF attacks is to include a CSRF token within relevant requests. The token should be:

  • Unpredictable with high entropy, as for session tokens in general.
  • Tied to the user's session.
  • Strictly validated in every case before the relevant action is executed.

Example of an HTML form that uses a CSRF token :

<form action="/profile" method="POST">
    <input type="text" name="name" value="">
    <input type="email" name="email" value="">
    <input type="hidden" name="csrf" value="d192140e2f1db42d60e508731b4095c08447c985c34a3b7a580e88e5c8b1d9a5">
</form>

šŸ“š References

Impact

In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer. Depending on the nature of the action, the attacker might be able to gain full control over the user's account.

In your application, the CSRF attack causes a SSL certificate deletion, this can be harmful to the availability of applications.

We are processing your report and will contact the froxlor team within 24 hours. 2 months ago
We have contacted a member of the froxlor team and are waiting to hear back 2 months ago
Michael Kaufmann validated this vulnerability 2 months ago

As one needs to log in as admin, i don't think it's a severity high, will be fixed with next release on 2nd of december

xanhacks has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
xanhacks
2 months ago

Researcher


Thank you for validating the report.

The CVSS score of a CSRF sets the "Privileges Required (PR)" to None, because the attacker does not need the admin account but only a "User Interaction (UI)". It's a bit strange but that's how the CVSS score works.

Michael Kaufmann marked this as fixed in 0.10.38.3 with commit 4d454a a month ago
Michael Kaufmann has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Dec 3rd 2022
Michael Kaufmann published this vulnerability a month ago
xanhacks
25 days ago

Researcher


Hey @maintainer @admin, could we assign a CVE id ?

to join this conversation