Diskover Data Diskover-Community Cross-Site Request Forgery Vulnerability Allowing Privilege Escalation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Diskover Data's Diskover-Community version 2.3.5 and earlier. The issue resides in the 'public/settings_process.php' file, where the application fails to validate CSRF tokens for sensitive POST requests. This oversight enables remote attackers to exploit the vulnerability by modifying application settings, bypassing authentication, and potentially accessing or manipulating sensitive information.

Impact

Exploitation of this vulnerability leads to complete authentication bypass, allowing unauthorized access to the application. This could result in unauthorized data access or manipulation, particularly through Elasticsearch, and could be combined with existing Cross-Site Scripting vulnerabilities for automated exploitation.

Reproduction

To reproduce this vulnerability, first authenticate as an admin to obtain a valid session cookie. Then, send a malicious POST request to 'public/settings_process.php' without a CSRF token. Include the desired settings changes in the request. The server will respond with a success message, indicating that the settings have been changed. After that, access 'dashboard.php' to verify that authentication has been bypassed and the application is accessible without login.

Remediation

It is recommended to implement CSRF token generation during user login and to validate these tokens on all POST requests. This can be done by adding a CSRF token to the user's session and checking it against the token provided in the POST data.