Issues » CSRF Add User

Issue: SI-31
Date: Nov 30, 2015, 5:15:00 PM
Severity: Critical
Requires Admin Access: No
Fix Version: 3.3
Credit: Gjoko Krstic - zeroscience.mk
Description:

It is possible to use a well formed POST to the DWR USer endpoint and add a new blank user to the dotCMS system.  This user will not be provisioned or permissioned in any way, though will be a valid user in the system.

Using this method combined with other attacks, it might be possible access Administrative Endpoints which would otherwise be protected.

Mitigation:

Upgrade to dotCMS 3.3 or backport the fix found in the commits below which will prevent access to DWR endpoints without a valid authenticated user.

References

https://github.com/dotCMS/core/commit/7b86fc850bf547e8c82366240dae27e7e56b4305

https://github.com/dotCMS/core/commit/7b86fc850bf547e8c82366240dae27e7e56b4305