Security Vulnerability: Cross Site Request Forgery

Description

FusionDirectrory is vulnerable against Cross Site Request Forgery (CSRF) attacks.

Distribution Name and Version

Debian stable Instance at admin.fusiondirectory.org is also affected.

FusionDirectory Version

1.2

PHP version used

7.0.14-2

Origin of php packages

Debian distribution packages.

Steps to Reproduce

1. Authenticate with a test account at admin.fusiondirectory.org. Please use a test account, as the password will be reset to a known value.
2. Open the attached file CSRF-FusionDirectory.html in the browser.
3. Click on the Attack! button.

Expected behavior:

The application checks state changing requests if they are originated from a previously delivered application web page by comparison of a random token parameter. No changes are made.

Actual behavior:

The application accepts the request forged by the attacker page. The password of the attacked user is changed to Password1234! and the address is set to Owned!.

Reproduces how often: 100%.

Additional Information

The URL parameter plug is instance specific, but can easily be brute forced by the attacker.

See the OWASP CSRF Page for further details on this vulnerability.