Rukovoditel Support Forum

Thank for Reproduce,
I have just tried things that are directly related to admin rights. But it seems that the entire rukovoditel CRM is not protected by the CSRF.

Thank for Reproduce,
I have just tried things that are directly related to admin rights. But it seems that the entire rukovoditel CRM is not protected by the CSRF.

You can't do any action if you are not logged. So any html files like this will redirect to login. It's not the attacker that needs to be logged, but the victim. When the victim is logged and click on the page, the actions will be done on behalf of the victim https://en.wikipedia.org/wiki/Cross-sit...

Yes, if user has been logged in?

Yes, if user has been logged in, change password success

Again you are tesing with localhost and Xampp. By default session are the same for all localhost folders that is why you can send request form html form if there is logged users in http://localhost//rukovoditel_2.8.3/ But in live server you can't do it. In live server, I just need ADMIN click to my...

First in index.php?module=users/change_password module user can change own pasword only. There is no way to change pwd for other users. Second you are doing test on http://localhost/ and the session is the same for all folders in localhost that is why you can submit form form single html fomr. But ...

Hi, Tuong It works, but in my case I had to put the php file with the malicious code in the same server. Also, it worked when the connection was on the same protocol (HTTPS). This means that (in my case, with my server configuration and the Samesite property of my cookies set on true) it is harder ...

CSRF vulnerability on Rukovoditel 2.8.3 ## Bug Description Hi. I found a CSRF in the module add new user in Rukovoditel 2.8.3. Hacker can add new user with admin privilege. ## How to Reproduce Steps to reproduce the behavior: 1. Create a CSRF POC using the following code. <!DOCTYPE HTML PUBLIC &quo...

CSRF vulnerability on Rukovoditel 2.8.3 ## Bug Description Hi. I found a CSRF in the module change password in Rukovoditel 2.8.3. Hacker can change password admin click the link. ## How to Reproduce Steps to reproduce the behavior: 1. Create a CSRF POC using the following code. <!DOCTYPE HTML PUBLI...