CSRF add admin user


OsCMAX 2.5.3 suffers from a cross site request forgery which allows the attacker to add a user.

The attacker can send a link to the admin, so an admin user will be created



Steps to reproduce



Michael Sasek
November 11, 2016, 11:12 PM

commit 298f32c fixes this specific reported issue even if no .htaccess anti csrf protection rules are in place, but there are many forms in the admin that need this token check added. I am keeping this issue open and will update/close it once all forms have the protection in place.

March 19, 2014, 10:38 PM

No problem

Giles Marshall
March 19, 2014, 10:20 PM

Good point I had not thought of an email / spoof attack when the user is logged in ... I will look at a token solution for the form submission.

Thanks for taking the time to report here.

March 19, 2014, 7:45 AM

well, for example if the attacker uploads the html file and send it to the vic. the username and pwd will be added (if the admin is logged in).
the attacker can change [html]<input type='submit' name='Submit4' value="Agregar">[html] to
[html]<script type="text/javascript">
function forge(){document.getElementById("csrf").click();}

so the when the victime opens the link it will be automatically redirected to the admin panel.
i recommand using an anti-CSRF script ,just in case.

I know the vuln. might have a low-middle impact because it depends on the hacker's S.E (Social_engineering)

Sorry for my awful english, hope you understood what i meant

Giles Marshall
March 19, 2014, 6:06 AM

Hi there - thanks for reporting this issue but I think you will find that this attack would only work if you already have a valid session of the admin panel open and running (ie. you have already logged in). Then of course it would work in the same way that other commands work once you are logged in.

In my tests the above script simply redirects to the login page as expected. Unless I have missed something (which is very possible) then please come back to me.

Thanks for helping make osCmax as safe and secure as possible.


Michael Sasek