Page 2 of 2
Re: CSRF vulnerability on Rukovoditel 2.8.3 Hacker can add new user with admin privilege
Posted: 13 Mar 2021, 06:59
by TuongNC
Thank for Reproduce,
I have just tried things that are directly related to admin rights. But it seems that the entire rukovoditel CRM is not protected by the CSRF.
Re: CSRF vulnerability on Rukovoditel 2.8.3 Hacker can add new user with admin privilege
Posted: 16 Mar 2021, 15:06
by swar
Well, I have briefly checked codes of some modules and there is function app_check_form_token() to protect some actions against csrf. The problem is that it is used only somewhere but surely not everywhere. Even after the fix uploaded by support to the other thread, there are a lot of forms and actions without this protection.
Re: CSRF vulnerability on Rukovoditel 2.8.3 Hacker can add new user with admin privilege
Posted: 06 Jan 2022, 09:42
by support
This issue was fixed for 2.9 I have added &token= for any actions in urls so now you can't simple submit form from other place.