CSRF vulnerability in ?language=
|Assignee:||Diogo Parrinha||% Done:|
|Reported In MyBB Version:||1.6.4||Database Version:|
|PHP Version:||5.3.8||SQA assignments:||Jitendra Maharaj|
Using http://community.mybb.com/forum-13.html?language=pirate as an image will change the users language to the specified value.
There was a similar vulnerability with polls and marking forums as read, which is the same concept. If a user was to post that on a large forum, many users languages could be changed without their permission. If the user doesn't speak that language, chances are they won't know how to change it back.
#1 Updated by Diogo Parrinha over 2 years ago
- Status changed from New to Assigned
- Assignee set to Diogo Parrinha
- Target version set to 1.6.5
I consider this CSRF vulnerability only because it is possible to change user data.
Where does it need updating? Dropdown box and what else? I can't think of any other place which allows us to switch to a different language pack.
#2 Updated by Nathan Malcolm over 2 years ago
There are two known places - The user cp, which I assume already has the post key in place, and the drop down in the bottom right hand corner where it allows the language to be changed from any page. I believe this is the culprit.
Lines 64 - 92 in global.php is where it needs to be patched to check for the post key, and this would also require a template edit for a hidden field in footer_languageselect.
#14 Updated by Diogo Parrinha over 2 years ago
Tom Moore wrote:
The other way around lol. This:
This way the user will actually return an error on their action.
This is why I didn't do it like that:
Diogo Parrinha wrote:
By the way my solution is to check the post key in passive mode and only change the language if the key is valid. Otherwise do nothing. It must be done this way because the templates are not loaded at that time thus we can't show any errors.