We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Get started
Google+

High Severity: CSRF bug in Forum | Forum

Topic location: Forum home » Support » Bug reports and troubleshooting
Securify Red Team
Securify Red Team Jun 25 '17

Removing user comments in Forum


There is another CSRF in forum. User comment box does not have a verified CSRF token either. So if we have similar payload as the plugin CSRF one:


<img src="[oxwall_url]/lab1/forum/deletePost/[post_id]/[comment_id]">


Then once the user who created the comment visits the link their comments get deleted. This is because comment deletion is sent through GET request. 

This severity is tasked high because of this: 

In the Forum page, user has permission to add image through url. Now the attacker can put this as the url :


http://[oxwall_url]/lab1/forum/deletePost/1/[victim’s comment id]


Once that is posted to the Forum page, Victim’s comment id X gets removed right way because the server calls the link as a GET request.

The Forum post is edited by Securify Red Team Jun 25 '17
#1
Securify Red Team
Securify Red Team Jun 25 '17
We can showcase this bug here, if someone comments
#2
AppXprt
AppXprt Jun 25 '17
I'm pretty good at crafting CSRF and protecting against it, so I'll see what I can do for this.
#3
Securify Red Team
Securify Red Team Jun 25 '17
Thanks Zach! I had a question to the devs and forum management. Should we create a private way to talk like, Zach, you and our team? Because I am skeptical reporting security issues openly here specially when this platform itself is vulnerable to attacks reported on all the three reports we submitted. 
#4
AppXprt
AppXprt Jun 25 '17
I guess the most recently active dev would be:

https://github.com/esase

#5
Securify Red Team
Securify Red Team Jun 25 '17
Is he on this forum? We can trying finding someone here who is a official Oxwall personnel as well. Because we really need them to push out a fix ASAP. 
#6
AppXprt
AppXprt May 18 '19
BuMp


This and multiple other vulnerabilities need to be addressed, we need to know the future of Oxwall.


I will only disclose issues and vulnerabilities to the Oxwall Team and fellow Active Developers.


Let's all help make this a more secure CMS. I wanted an official fix, but if not I guess I'll have to contribute the fixes to an active project..

The Forum post is edited by AppXprt May 18 '19
#7
Oxwall Germany Club
Oxwall Germany Jun 11 '19
The issues were reported to the Oxwall development team.
#8
Norias
Norias Jun 12 '19
Maybe this is a solution ?


"Delete with POST" https://github.com/oxwall/forum/pull/55

#9
Oxwall Germany Club
Oxwall Germany Jun 12 '19

Quote from Norias Maybe this is a solution ?
It doesn't seem to be a solution as there isn't submitted any CSRF token to check the validity of the request of the user. An attacker can still lure the user to a special crafted page which sends a POST request to the URL. This doesn't change the situation, also if the request is sent via HTTP POST. I'll pass this over to the development team. Thank you for posting the link.
#10
AppXprt
AppXprt Jun 14 '19
Thanks Oxwall Germany!
#11
Start | Demo | About | Policies & Licenses | Blog | Contact Us | Oxwall Foundation | Roadmap | Developer Central | Oxwall hosting | Contribute | Partners | Donation | Community software | Dating software
© Copyright Oxwall Software
Oxwall Community Software