| Title | Kodbox 1.64 Improper Access Controls |
|---|
| Description | kodbox’s OAuth integration contains a critical logic flaw. The login API user/index/loginSubmit accepts a client-supplied third JSON and uses only the type/unionid pair to look up a binding in the database and log the user in, without verifying any real OAuth callback, signature, state, or nonce. Separately, the plugin/oauth/bind&method=bind endpoint—CSRF-exempt and lacking server-side verification—allows an authenticated session to bind any attacker-chosen openid/unionid to its account.
By first binding their own unionid to a victim (e.g., via CSRF or any authenticated access) and then, from an unauthenticated context, submitting a forged third JSON containing that unionid, an attacker can reliably log in as the victim, including the root administrator. The fix requires rejecting raw client third data, validating all OAuth identities via trusted server-to-server flows, enforcing CSRF protection and POST-only on bind operations, and adding strong verification and auditing around unionid bindings. |
|---|
| Source | ⚠️ https://vulnplus-note.wetolink.com/share/IJW1LjsyomCQ |
|---|
| User | vulnplusbot (UID 96250) |
|---|
| Submission | 03/09/2026 04:26 (1 month ago) |
|---|
| Moderation | 03/22/2026 12:40 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 352426 [kalcaddle kodbox 1.64 loginSubmit API index.class.php third cross-site request forgery] |
|---|
| Points | 20 |
|---|