We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

High Severity: CSRF bug in Forum | Forum

Securify Red Team
Securify Red Team Jun 25 '17

Removing user comments in Forum


There is another CSRF in forum. User comment box does not have a verified CSRF token either. So if we have similar payload as the plugin CSRF one:


<img src="[oxwall_url]/lab1/forum/deletePost/[post_id]/[comment_id]">


Then once the user who created the comment visits the link their comments get deleted. This is because comment deletion is sent through GET request. 

This severity is tasked high because of this: 

In the Forum page, user has permission to add image through url. Now the attacker can put this as the url :


http://[oxwall_url]/lab1/forum/deletePost/1/[victim’s comment id]


Once that is posted to the Forum page, Victim’s comment id X gets removed right way because the server calls the link as a GET request.

The Forum post is edited by Securify Red Team Jun 25 '17
Securify Red Team
Securify Red Team Jun 25 '17
We can showcase this bug here, if someone comments
AppXprt
AppXprt Jun 25 '17
I'm pretty good at crafting CSRF and protecting against it, so I'll see what I can do for this.
Securify Red Team
Securify Red Team Jun 25 '17
Thanks Zach! I had a question to the devs and forum management. Should we create a private way to talk like, Zach, you and our team? Because I am skeptical reporting security issues openly here specially when this platform itself is vulnerable to attacks reported on all the three reports we submitted. 
AppXprt
AppXprt Jun 25 '17
I guess the most recently active dev would be:

https://github.com/esase

Securify Red Team
Securify Red Team Jun 25 '17
Is he on this forum? We can trying finding someone here who is a official Oxwall personnel as well. Because we really need them to push out a fix ASAP. 
AppXprt
AppXprt May 18
BuMp


This and multiple other vulnerabilities need to be addressed, we need to know the future of Oxwall.


I will only disclose issues and vulnerabilities to the Oxwall Team and fellow Active Developers.


Let's all help make this a more secure CMS. I wanted an official fix, but if not I guess I'll have to contribute the fixes to an active project..

The Forum post is edited by AppXprt May 18
Oxwall Germany Club
The issues were reported to the Oxwall development team.
Norias
Norias Jun 12
Maybe this is a solution ?


"Delete with POST" https://github.com/oxwall/forum/pull/55

Oxwall Germany Club

Quote from Norias Maybe this is a solution ?
It doesn't seem to be a solution as there isn't submitted any CSRF token to check the validity of the request of the user. An attacker can still lure the user to a special crafted page which sends a POST request to the URL. This doesn't change the situation, also if the request is sent via HTTP POST. I'll pass this over to the development team. Thank you for posting the link.
AppXprt
AppXprt Jun 14
Thanks Oxwall Germany!