CSRF vulnerability on Rukovoditel 2.8.3 Hacker can add new user with admin privilege

Post Reply
TuongNC
Posts: 12
Joined: 19 Dec 2020, 09:40
Name: Tuong Ngo Cat
Location: Ha Noi
Company Name: None

Re: CSRF vulnerability on Rukovoditel 2.8.3 Hacker can add new user with admin privilege

Post by TuongNC »

Thank for Reproduce,
I have just tried things that are directly related to admin rights. But it seems that the entire rukovoditel CRM is not protected by the CSRF.
Top
swar
Posts: 60
Joined: 19 Dec 2020, 04:11
Name: A.R.
Location: Bratislava

Re: CSRF vulnerability on Rukovoditel 2.8.3 Hacker can add new user with admin privilege

Post by swar »

Well, I have briefly checked codes of some modules and there is function app_check_form_token() to protect some actions against csrf. The problem is that it is used only somewhere but surely not everywhere. Even after the fix uploaded by support to the other thread, there are a lot of forms and actions without this protection.
Top
User avatar
support
Site Admin
Posts: 6215
Joined: 19 Oct 2014, 18:22
Name: Sergey Kharchishin
Location: Russia, Evpatoriya

Re: CSRF vulnerability on Rukovoditel 2.8.3 Hacker can add new user with admin privilege

Post by support »

This issue was fixed for 2.9 I have added &token= for any actions in urls so now you can't simple submit form from other place.
Top
Post Reply

Return to “Bug Report version 2.8”