Dear Leo,
To exploit the "vulnerability", the malicious website would have to know the domain name of your Contao installation, which is very unlikely!
Well, if you are mounting an attack on someone's web site, you actually do know the domain name, as well as lots of other information.
Second of all, the request token system prevents this kind of attack, so the report can be considered fixed (and outdated).
You might have noticed that, in this software, all the delete actions are performed by GET requests, not POST ones, as I suspect you are thinking.
Well, let's confirm the issue by ourselves! I have taken liberty to download, install, and test the version 2.11.9, which seems to be the latest release of 2.11.x LTS branch. As far as I see, this is the branch that is reported to be vulnerable, so it fits perfectly for the demo.
If you check the URL of the link you click on when deleting something, it looks something like this:
Code:
http://[host]/contao/main.php?do=page&act=delete&id=1
where the value of "do" parameter varies depending on what type of objects you are operating on, and "id" varies depending on the exact object to be deleted. Please notice that there are no tokens of any kind in the link.
To test things out, you can simply copy & paste the link into a new browser tab and make the browser perform the request. See what will happen -- the stuff gets deleted! Congratulations, you have performed your first, very basic, CSRF attack! It looks ridiculous when that simplified, but... Bear in mind that, for example, the attacker might put the URL you've just used anywhere -- in any HTML tag that requests a remote resurce; often, the IMG tag is used for the purpose. Just visiting a page specially prepared for you by a "friend" might be enough to kill your user on the installation you own.
You might also want to review the theory behind the cross-site request forgery attack types on web applications. Let me provide you with some fine reading:
1. https://www.owasp.org/index.php/Cross-S ... %28CSRF%29
2. http://www.cgisecurity.com/csrf-faq.html
Have fun!
With kind regards,
dmy
Bookmarks