catrobat / catroweb Goto Github PK

This enhancement include of keeping a home button in the menu bar and in footer menu bar

There should be a hover effect on the links provided in the footer. It could be a color change similar to the sidebar links.

Hello,
I am opening a new issue here about a critical vulnerability I found since "Security" tab in your Github repo is not setup for bug submissions.

Bug: Missing CSRF Token leads to 1-click Account Takeover
Description: An attacker can successfully takeover accounts (mass takeover is possible too), by only forcing a user to visit a website (so only 1 interaction is required by the user). After visiting the website, 4 POST requests will be automatically sent by user to the webapp to change his/her data such as: username, email address, password, profile picture without his/her knowledge.

Please find attached the HTML file as a PoC for this demo. Once a user opens this HTML file (hosted as a website or a file, doesn't matter), the account will be changed with the following data:

Username: hacked
Password: hacked
Email: [email protected]
Profile picture as demonstrated in the attached video.

I also would like to mention another vulnerability which lead to this critical one.
When a user wants to change the password, he basically sends the following POST Request:

POST /app/passwordSave HTTP/2
Host: share.catrob.at
Cookie: cookie_values_here
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 83
Origin: https://share.catrob.at
Referer: https://share.catrob.at/app/user

oldPassword=mystrongpassword&newPassword=mynewpassword&repeatPassword=mynewpassword

There are clearly 3 POST parameters (oldPassword, newPassword and repeatPassword). The problem relies on oldPassword parameter which is not being checked if it is missing or not. So basically you can remove that parameter and you can setup a new password without knowing your old one.

POST /app/passwordSave HTTP/2
Host: share.catrob.at
Cookie: cookie_values_here
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 83
Origin: https://share.catrob.at
Referer: https://share.catrob.at/app/user

newPassword=mynewpassword&repeatPassword=mynewpassword

This bug was also implemented in the HTML PoC, leading to this 1-click Account Takeover vulnerability.

Mitigation
I strongly advise to implement Anti-CSRF Token when a user is changing the mentioned data.
Make sure that oldPassword is present in the HTTP Request when changing the password.

Video PoC:
https://user-images.githubusercontent.com/37262788/168836544-be1e4737-a872-45df-b4ad-8828a25ec2e5.mp4

HTML PoC (Please change the extension to .html, since Github doesn't allow uploading HTML files)
catrobat_csrf_html_file.txt

Please let me know if more information is needed,
Kind regards!
.