| Title | WuKongOpenSource WukongCRM v9.0 Cross-Site Request Forgery |
|---|
| Description | WukongCRM v9.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/user/updataPassword.
# **NAME OF AFFECTED PRODUCT(S)**
- WukongCRM
## Vendor Homepage
https://github.com/WuKongOpenSource/WukongCRM-9.0-JAVA
# **AFFECTED AND/OR FIXED VERSION(S)**
## Submitter
- aiyakami, Yveslawtox, luokuang1
## Vulnerable File
- AdminUserController.java
## VERSION(S)
- V9.0
## Software Link
- https://github.com/WuKongOpenSource/WukongCRM-9.0-JAVA
# **PROBLEM TYPE**
## Vulnerability Type
- CSRF (Cross-Site Request Forgery)
## Root Cause
- The application fails to verify the authenticity of requests that change user-sensitive data (e.g., account settings, password changes). An attacker can trick a logged-in user into submitting a forged request, which gets executed with the user's privileges, potentially altering sensitive data or performing unwanted actions without the user's consent.
## Impact
- Attackers can manipulate authenticated users into performing actions like changing passwords or modifying account settings, all without the user’s consent.
Successful exploitation can lead to:
- Unauthorized account access or data manipulation.
- Privilege escalation or unauthorized actions performed on behalf of the user.
- Potential data loss or unauthorized data leakage.
# **DESCRIPTION**
- During a security audit of WukongCRM-9.0-JAVA, a critical CSRF vulnerability was identified in the UserMgrController.java file. The vulnerability allows an attacker to craft a malicious request that, when submitted by a logged-in user, can execute unintended actions like password change or profile updates.
# **Vulnerability details and POC**
## Vulnerable Location:
- `AdminUserController.java`
## Payload:
Example: A malicious attacker sends a crafted request to change the victim's password without their consent.
```html
<html>
<body>
<form action="http://localhost:7878/system/user/updataPassword" method="POST" name="form1" enctype="application/x-www-form-urlencoded" >
<input type="hidden" name="oldPwd" value="123456"/>
<input type="hidden" name="newPwd" value="111111"/>
<input type="submit" value="Submit request" />
</form>
<script>history.pushState('', '', '/');</script>
</body>
</html>
```
## The following are screenshots of some specific information obtained from testing and running with the yakit tool:
After removing the Referer field from the request packet and resubmitting, the request remains valid.
# Suggested repair
1. **Anti-CSRF Tokens**
Implement anti-CSRF tokens in all state-changing forms or actions (e.g., POST requests), ensuring that the server checks that the request is originating from a legitimate source.
2. **SameSite Cookies**
Ensure that cookies have the SameSite attribute set to Strict or Lax to mitigate cross-site request forgery attempts from different origins.
Referer Header Validation
Validate the Referer header for sensitive actions to ensure the request is coming from a trusted origin.
3. **Double Submit Cookies**
Use a second cookie that stores the CSRF token and validate that the value matches the token in the form submission.
Recommended Fix
Integrate an anti-CSRF solution (e.g., tokens, SameSite cookies) in all forms that involve state changes.
Ensure that sensitive actions require additional user verification (e.g., re-entering a password).
|
|---|
| Source | ⚠️ https://github.com/Aiyakami/CVE-1/issues/6 |
|---|
| User | aiyakami (UID 85128) |
|---|
| Submission | 05/26/2025 04:09 (11 months ago) |
|---|
| Moderation | 06/03/2025 11:27 (8 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 310957 [WuKongOpenSource WukongCRM 9.0 updataPassword cross-site request forgery] |
|---|
| Points | 20 |
|---|