Possible security issue: Cross-site request forgery

A place to discuss the testing process in beta cycles or against SVN for the CMS Made Simple CORE package.
Locked
Janne Salo
New Member
New Member
Posts: 2
Joined: Mon Oct 20, 2008 9:41 am

Possible security issue: Cross-site request forgery

Post by Janne Salo »

One of our clients found this in their internal testing. The problem is that many site-altering functionalities, like posting news items, in the admin interface are operated through regular HTTP GETs, rather than e.g. POSTs authenticated in some way.

For example, if an attacker finds out that example.com is build on CMSMS, he can create a malicious site, having  e.g. an img element with link
"http://example.com/admin/moduleinterface.php?mact=News%2Cm1_%2Caddarticle%2C0&m1_title=H4x0red&m1_category=1&m1_summary=Nasty+summary&m1_content=Nasty+content&m1_extra=&m1_postdate_Month=10&m1_postdate_Day=3&m1_postdate_Year=2008&m1_postdate_Hour=10&m1_postdate_Minute=29&m1_postdate_Second=58&m1_status=published&m1_startdate_Month=10&m1_startdate_Day=3&m1_startdate_Year=2008&m1_startdate_Hour=09&m1_startdate_Minute=44&m1_startdate_Second=58&m1_enddate_Month=04&m1_enddate_Day=1&m1_enddate_Year=2009&m1_enddate_Hour=09&m1_enddate_Minute=44&m1_enddate_Second=58&m1_submit=Submit"
(sorry for the ugly overflowing long string) as its src attribute. If the attacker now is able to get a logged-in admin of example.com to go to his malicious page, an unwanted news item gets added in example.com.

While the above scenario might not be that realistic, the issue, in my opinion, is quite serious.
User avatar
blast2007
Power Poster
Power Poster
Posts: 508
Joined: Wed Aug 01, 2007 5:36 pm

Re: Possible security issue: Cross-site request forgery

Post by blast2007 »

Hi Janne,
you can avoid this issue using a different name for "/admin" directory, and an creating an .htaccess inside it. (Take a look at this guide for reference).

regards
blast
Janne Salo
New Member
New Member
Posts: 2
Joined: Mon Oct 20, 2008 9:41 am

Re: Possible security issue: Cross-site request forgery

Post by Janne Salo »

Thanks for the info. I should've read the documentation more thoroughly. I guess that effectively solves the issue.
Pierre M.

Re: Possible security issue: Cross-site request forgery

Post by Pierre M. »

Hello all,

thank you for this feed back. If I understand well
-obfuscating the admin directory is easy and prevents this attack (by 404).
-not rendering third site content (img, frame, css...) in the admin browser prevents the attack but is practically rare.
-http auth (with .htaccess) to the admin directory doesn't prevent this attack. Ouch !-(

If I'm not wrong the breach is '/admin' here and I think the installer should randomly set the name of the admin directory to obfuscate it.
Or could moduleinterface.php check referer URL or so ? Would it work ? Would it rely too heavily on the admin browser ?

Pierre
Teme
New Member
New Member
Posts: 8
Joined: Sat Oct 25, 2008 5:10 pm

Re: Possible security issue: Cross-site request forgery

Post by Teme »

Hi,

I have discussed about this with develpers at IRC. I was most likely the one, who originally found the problem.Obfuscating is really bad way to secure the system, but at the moment only way to do it. The real fix is much more complex. All links which are able modify any data should be secured with additional "CSRF-preventing" parameter. I have suggested, that there is always "vaidation" parameter which is tied to session id, but is not the same as session id. For example md5 sum from the session id is unique enough. That kind of solution is for example at Joomla. (but it's not exactly same.)

(And this is not just "possible security issue". It is real security issue.)

Teme
Pierre M.

Re: Possible security issue: Cross-site request forgery

Post by Pierre M. »

Hello,

Teme wrote:All links which are able modify any data should be secured with additional "CSRF-preventing" parameter. I have suggested, that there is always "vaidation" parameter which is tied to session id, but is not the same as session id. For example md5 sum from the session id is unique enough.


Very interesting. If I understand well :
-Those links need a secure transaction id.
-This Txid is computed/given with the response to the authenticated user (like cookie thing)
-The third party (intruder) never generates a valid Txid (because it never see cookie thing)

I agree with you it seems an actual serious issue for admins browsing heavily on thrid sites while administring.

Pierre M.
Teme
New Member
New Member
Posts: 8
Joined: Sat Oct 25, 2008 5:10 pm

Re: Possible security issue: Cross-site request forgery

Post by Teme »

Even with the local site there is real danger, if the local site has interactive components like discussion forums with img-tag. That is not exploiting the post-forms, but it still can cause plenty of problems.

Teme
Locked

Return to “[locked] Quality Assurance”