WuKongOpenSource WukongCRM Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in WuKongOpenSource WukongCRM version 9.0. The issue arises in the AdminRoleController.java file, where the application fails to properly verify the authenticity of requests from users with administrative privileges. This flaw allows attackers to trick logged-in users into submitting forged requests that are executed with admin rights, potentially leading to unauthorized changes in user permissions or other sensitive data.

Impact

Exploitation of this vulnerability allows attackers to manipulate user permissions, including granting administrative rights to regular users, all without the knowledge or consent of the affected administrator.

Reproduction

To reproduce this vulnerability, send a crafted POST request to the '/system/role/relatedUser' endpoint. The request must include 'userIds' and 'roleIds' parameters. If the Referer header is removed, the request will still be accepted, exploiting the CSRF vulnerability.

Remediation

Implement anti-CSRF tokens in all state-changing forms or actions, ensuring that the server verifies the request's origin. Additionally, set the SameSite attribute on cookies to Strict or Lax, validate the Referer header for sensitive actions, and consider using double-submit cookies to enhance CSRF protection.