Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF at Admin Email #3342

Closed
sh0lt0 opened this issue Mar 11, 2020 · 2 comments
Closed

CSRF at Admin Email #3342

sh0lt0 opened this issue Mar 11, 2020 · 2 comments
Labels
bug Undesired behaviour resolved A fixed issue SECURITY A security issue reported through CVE
Milestone
1.2.11

Comments

@sh0lt0
Copy link

sh0lt0 commented Mar 11, 2020

Describe the bug
A malformed GET request at http://192.168.56.106/cacti/auth_profile.php?action=edit can lead to admin email change.

Affected URI
http://192.168.56.106/cacti/auth_profile.php?action=edit

To Reproduce
Steps to reproduce the behavior:

  1. Go to 'http://192.168.56.106/cacti/auth_profile.php?action=edit'
  2. Turn on a proxy interceptor, I used Burp.
  3. Change the email and save the request.
  4. Change the email in the saved request and send the URL to a logged in admin.
  5. Admin email will be changed

Malformed Request:
http://192.168.56.106/cacti/auth_profile.php?tab=general&action=update_data&name=email_address&value=attacker@abc.com

Expected behavior
Such actions should not be requested with GET method and anti-CSRF tokens should be used.

  • OS: Ubuntu
  • Browser: Firefox
  • Version: Cacti Version 1.2.8
@TheWitness
Copy link
Member

This should be blocked.

@TheWitness TheWitness added the bug Undesired behaviour label Mar 12, 2020
@TheWitness TheWitness added this to the 1.2.11 milestone Mar 12, 2020
@TheWitness TheWitness added the SECURITY A security issue reported through CVE label Mar 12, 2020
TheWitness added a commit that referenced this issue Mar 12, 2020
@TheWitness
Fixing Issue #3342
107bfec 
CSRF at Admin Email
@TheWitness TheWitness added the resolved A fixed issue label Mar 12, 2020
@TheWitness
Copy link
Member

This should be fixed now.

TheWitness added a commit that referenced this issue Mar 13, 2020
@TheWitness
Fixing Issue #3343 and outstanding issue with #3342
25abe64
@github-actions github-actions bot locked and limited conversation to collaborators Jun 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Undesired behaviour resolved A fixed issue SECURITY A security issue reported through CVE
Projects
None yet
Milestone
1.2.11
Development

No branches or pull requests
2 participants
@TheWitness @sh0lt0