From bugzilla-daemon@bugs.koha-community.org Sun Jun 30 14:49:18 2019
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 23238] New: CSRF On Logout Page
Date: Sun, 30 Jun 2019 12:48:48 +0000
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2285697093856790887=="
--===============2285697093856790887==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D23238
Bug ID: 23238
Summary: CSRF On Logout Page
Change sponsored?: ---
Product: Koha
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5 - low
Component: Web services
Assignee: koha-bugs@lists.koha-community.org
Reporter: anuragmewar@gmail.com
QA Contact: testopia@bugs.koha-community.org
Created attachment 91132
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=3D91132&action=3D=
edit
PFA the Google Drive link for the video
Vulnerability: CSRF on logout page
Vulnerability Description: Cross-Site Request Forgery (CSRF) is an attack that
forces an end user to execute unwanted actions on a web application in which
they're currently authenticated. With a little help of social engineering (su=
ch
as sending a link via email or chat), an attacker may trick the users of a web
application into executing actions of the attacker's choosing.=20
Vulnerable URL: https://ils.ddn.upes.ac.in:8001/cgi-bin/koha/opac-main.pl
CSRF POC:
Steps to reproduce:
1. Login with valid credentials
2. Start any proxy tool to intercept the request.
3. Click logout
4. Send to "repeator"
5. Change "referer" header
6. Observe the output
7. Create an HTML file using the CSRF POC mentioned above
8. Login again
9. Open the CSRF html file on a new tab
10. Submit request
11. Results would reflect on main account
POC:
PFA the video
--=20
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
--===============2285697093856790887==--