| Título | open-source navigation CMS WebStack-Guns 1.0 Cross-Site Request Forgery |
|---|
| Descripción | # WebStack-Guns Cross-Site Request Forgery
**Submitter:** yudeshui
**Target Product:** WebStack-Guns (open-source navigation CMS)
**Affected Version:** 1.0 (current master)
**Tested Environment:** commit HEAD of https://github.com/jsnjfz/WebStack-Guns on Java 8 / Spring Boot 2.0.1
**Vulnerability Type:** Cross-Site Request Forgery (CSRF)
## Summary
The WebStack-Guns application lacks CSRF protection on all state-changing endpoints in the administrative backend. It relies solely on session cookies to authorize sensitive actions. A remote attacker can craft a malicious web page that, when visited by a logged-in administrator, will force the victim's browser to submit forged requests to the application. This can result in arbitrary administrative actions being executed without the administrator's knowledge or consent, including deleting users, changing roles, and modifying system data, leading to a full compromise of application integrity and availability.
## Component Overview
- **`com.jsnjfz.manage.modular.system.controller.UserMgrController`** (src/main/java/com/jsnjfz/manage/modular/system/controller/UserMgrController.java): This controller handles all user management functions. Methods like `delete`, `edit`, `setRole`, and `changePwd` accept POST or GET requests and perform sensitive actions without validating any anti-CSRF tokens.
- **`com.jsnjfz.manage.config.web.ShiroConfig`** (src/main/java/com/jsnjfz/manage/config/web/ShiroConfig.java): The Shiro security configuration does not implement any CSRF protection filters.
- **Frontend JavaScript (`user_info.js`, etc.)**: The JavaScript code responsible for submitting forms via AJAX (`$ax`) does not include any logic to append a CSRF token to requests.
The design fails to implement the Synchronizer Token Pattern or any other defense against CSRF. Any request is considered legitimate as long as it is accompanied by a valid session cookie.
## Proof of Concept
An attacker can host the following HTML file on a malicious server.
```html
<!-- malicious-page.html -->
<html>
<head>
<title>You Won a Prize!</title>
</head>
<body>
<h1>Loading your prize...</h1>
<!-- This hidden image tag will send a GET request to the delete endpoint -->
<!-- The victim's browser will automatically include the session cookie -->
<img src="http://<TARGET_IP>:8000/mgr/delete?userId=2" style="display:none;" />
<p>Your prize will be delivered shortly.</p>
</body>
</html>
```
**Attack Steps:**
1. An administrator is logged into the WebStack-Guns application at `http://<TARGET_IP>:8000`.
2. The attacker tricks the administrator into visiting the malicious page (e.g., via a phishing email).
3. When the page loads, the administrator's browser automatically sends a `GET` request to `http://<TARGET_IP>:8000/mgr/delete?userId=2`, including their session cookie.
4. The server validates the session cookie, authorizes the request as a legitimate administrative action, and proceeds to delete the user with ID `2`. The action is successful, and the administrator is unaware that it occurred. The same technique applies to all other state-changing endpoints.
## Root Cause Analysis
1. **Missing Token Validation**: The application's backend does not generate, issue, or validate anti-CSRF tokens for any state-changing requests.
2. **Sole Reliance on Cookies**: Authentication and authorization for sensitive actions are based exclusively on the presence of a valid session cookie, which browsers send automatically with every request to a given domain.
3. **Insecure Defaults**: The application does not leverage standard, built-in CSRF protection mechanisms available in Spring or Shiro, leaving all POST and state-changing GET endpoints vulnerable.
## Impact
This vulnerability allows a remote, unauthenticated attacker to execute arbitrary actions on behalf of a privileged, authenticated user. An attacker can achieve a complete compromise of the application's administrative functions, leading to:
- **High Integrity Impact**: Attackers can modify or delete any data, create new admin accounts, and elevate privileges of existing accounts.
- **High Availability Impact**: Attackers can delete all user accounts, including other administrators, or change their passwords, effectively locking them out and rendering the application unusable for legitimate users.
## Recommended Remediation
1. **Implement Synchronizer Token Pattern**: Integrate a robust, per-session anti-CSRF token mechanism.
- On the server side, generate a unique token for each user session.
- Embed this token in a hidden field in all forms.
- For AJAX requests, pass the token in a custom HTTP header (e.g., `X-CSRF-TOKEN`).
- Before executing any state-changing action, the server must validate that the token submitted with the request matches the one stored in the user's session.
2. **Use Framework Features**: Enable and configure the built-in CSRF protection provided by Spring Security. If continuing with Shiro, integrate a library or custom filter for CSRF protection.
3. **Enforce SameSite Cookies**: Set the `SameSite` attribute on session cookies to `Strict` or `Lax` to mitigate CSRF on browsers that support it.
4. **Re-Authentication for Sensitive Actions**: For highly critical operations like changing a password or email, require the user to re-enter their current password.
## References
- **Vulnerable Controller Source:** https://github.com/jsnjfz/WebStack-Guns/blob/master/src/main/java/com/jsnjfz/manage/modular/system/controller/UserMgrController.java
- **CWE-352: Cross-Site Request Forgery (CSRF):** https://cwe.mitre.org/data/definitions/352.html
|
|---|
| Fuente | ⚠️ https://github.com/rassec2/dbcve/issues/19 |
|---|
| Usuario | qiushui (UID 93022) |
|---|
| Sumisión | 2025-12-02 12:57 (hace 6 meses) |
|---|
| Moderación | 2025-12-14 11:50 (12 days later) |
|---|
| Estado | Duplicado |
|---|
| Entrada de VulDB | 311659 [jsnjfz WebStack-Guns 1.0 falsificación de solicitudes en sitios cruzados] |
|---|
| Puntos | 0 |
|---|