GoCD: Imperfect CSRF To Overwrite Server Config at /go/admin/restful/configuration/file/POST/xml

ID H1:240048
Type hackerone
Reporter 4cad
Modified 2018-12-05T04:13:54


The /go/admin/restful/configuration/file/POST/xml path is vulnerable to Cross-Site Request Forgery that can result in an unauthorized user adding to the server cruise-config.xml and gaining complete control of the server. Successful exploitation is made difficult by the need for the admin to be served malicious HTML and for the attacker to have a copy of historical config, such as the nearly-empty empty placeholder file that gets initially generated upon install.