Multiple interfaces in the tianti management system have CSRF vulnerabilities #39
Description
Vulnerability location and vulnerability description
CMS version: tianti 2.3
In tianti CMS,There is a CSRF vulnerability in the "Add", "Delete", "Edit", and "Restore" user function points.
/user/ajax/save,/user/ajax/upd/status
The full name of CSRF vulnerability is Cross Site Request Forgery, which stands for Cross Site Request Forgery vulnerability:
Cross site request forgery is an attack method that exploits users to perform unintended actions on logged in web applications. Attackers use the user's identity to send malicious requests to the target website by inducing them to access the malicious website while already logged in. This allows them to complete certain operations without the user's knowledge, such as transferring funds, changing passwords, deleting data, etc.
Vulnerability proof
/user/ajax/save,/user/ajax/upd/status support GET and POST method, both of methods all exist CSRF problem.
Click 'Add', fill in the information, click 'OK' and use Burpsuite to capture the data package:
Then make a CSRF attack poc by using burpsuite,and then a phishing link will be generated:
When the backend administrator of a certain enterprise/school clicks on this phishing link, the hacker will be automatically added as an administrator:
You can see that the hacker has been successfully added as an administrator:
By auditing the source code, it can also be found that there is no protection against CSRF in the code, including using CSRF tokens for verification, using same origin policies, and so on:
Repair suggestions:
(1) Use CSRF token
(2) Use same origin strategy check :
The server-side checks whether the source of the request is the same as its own domain name. In Spring, it can be achieved through filters or interceptors.