Hi,
I have been doing some custom development work against nop 3.5 and I think I have found a CSRF vulnerability in the Admin portal.
I have setup a demo site @ http://benevolent-kitten.neocities.org to demonstrate the attack leveraged against the demo admin portal @ http://admin-demo.nopcommerce.com/
The step to reproduce the attack are (note this was tested in Google Chrome);
1) Go to (http://admin-demo.nopcommerce.com/Admin/GiftCard/List) nop demo admin portal and login. (Email:[email protected] Password:admin)
2) Take a note of the gift card count.
3) Go to (http://benevolent-kitten.neocities.org/).
4) Go to gift card list page again (http://admin-demo.nopcommerce.com/Admin/GiftCard/List) and see the new gift card.
The issue here is if a user with authorization to edit gift cards is socially engineered into visiting http://benevolent-kitten.neocities.org/ they will unknowingly create a new gift card. I am sure with a little thought you could engineer a much less benign attack.
Nick
Cross-site request forgery/Confused deputy problem
- 1
- 2
Team Member
- 16619
- 155940
- 10/22/2008
- Armenia
By the way if you want to avoid XSRF attack in admin area (although I don't think your example is related to it) please have a look at how it's implemented to registration process (public store) and then implement the same in admin area
1. \Views\Customer\Register.cshtml file - @Html.AntiForgeryToken()
2. \Nop.Web\Controllers\CustomerController.cs - [ValidateAntiForgeryToken] attribute for "Register" method
1. \Views\Customer\Register.cshtml file - @Html.AntiForgeryToken()
2. \Nop.Web\Controllers\CustomerController.cs - [ValidateAntiForgeryToken] attribute for "Register" method
Team Member
- 16619
- 155940
- 10/22/2008
- Armenia
Hi Nick,
Thanks a lot. I thought your site (http://benevolent-kitten.neocities.org/) is just a clean nopCommerce installation. Now I see that you created a form with POST to nopCommerce admin area. Thanks for explanation and video.
In this case my suggestion above should work. I've just created a work item for this task
Thanks a lot. I thought your site (http://benevolent-kitten.neocities.org/) is just a clean nopCommerce installation. Now I see that you created a form with POST to nopCommerce admin area. Thanks for explanation and video.
In this case my suggestion above should work. I've just created a work item for this task
- 5
- 85
- 1/14/2015
- United States
Hi,
Here is a pull for 6 controller worth of fixes (CategoryController,CampaignController, BlogController, AffiliateController, AddressAttributeController and ActivityLogController) to resolve the issue.
https://nopcommerce.codeplex.com/SourceControl/network/forks/nickshepherd/xsfradminfixes/contribution/7930
This is a very time consuming task, if my changes here work for you i'll implement the rest.
Cheer, Nick
P.S. This is my first time using Git/CodePlex so let me know if this is the right way to submit code.
Here is a pull for 6 controller worth of fixes (CategoryController,CampaignController, BlogController, AffiliateController, AddressAttributeController and ActivityLogController) to resolve the issue.
https://nopcommerce.codeplex.com/SourceControl/network/forks/nickshepherd/xsfradminfixes/contribution/7930
This is a very time consuming task, if my changes here work for you i'll implement the rest.
Cheer, Nick
P.S. This is my first time using Git/CodePlex so let me know if this is the right way to submit code.
- 1
- 2