Kalcaddle Kodbox Cross-Site Request Forgery Vulnerability in OAuth Login API

A cross-site request forgery (CSRF) vulnerability has been identified in Kalcaddle Kodbox version 1.64. The issue arises in the loginSubmit API, specifically within an unknown function of the file '/workspace/source-code/plugins/oauth/controller/bind/index.class.php'. The vulnerability allows remote exploitation, although it requires a high level of complexity to execute. The exploitation process has been made public and is available as a proof-of-concept.

Impact

Exploitation of this vulnerability allows an attacker to perform actions on behalf of another user, potentially including administrative privileges, by manipulating the OAuth login process.

Reproduction

To reproduce this vulnerability, first bind an OpenID or UnionID to a victim's account using the 'bind' method of the 'plugin/oauth/bind' endpoint, which is exempt from CSRF protection and lacks server-side verification. Once the UnionID is bound to the victim, submit a forged JSON payload containing the UnionID through the 'loginSubmit' API. This will result in logging in as the victim, including access to root administrator privileges.

Remediation

The vulnerability can be addressed by rejecting raw client data in the 'third' argument, validating all OAuth identities through trusted server-to-server processes, enforcing CSRF protection and POST-only requirements on binding operations, and implementing strong verification and auditing for UnionID bindings.