CVE-2020-18131

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in Bluethrust Clan Scripts v4, specifically in the /members/console.php?cID=5 endpoint [1], [2]. The application does not implement sufficient anti-CSRF tokens or other request validation mechanisms, allowing an attacker to craft a malicious HTML form that, when submitted by an authenticated administrator, performs unauthorized actions such as adding a new member with elevated privileges [2].

Exploitation

To exploit the vulnerability, an attacker must trick an authenticated administrator into visiting a malicious page while logged into the application [2]. The attacker crafts a hidden HTML form that submits a POST request to /members/console.php?cID=5 with parameters including a new member username, password, and a high rank (e.g., rank value 41) [2]. The form includes a static CSRF token value that appears to be accepted by the application, indicating the token is not properly validated per session or user action [2]. The administrator does not need to click the submit button if JavaScript auto-submits the form.

Impact

Successful exploitation allows the attacker to add a new member account with high-level privileges (e.g., clan leader rank) without the administrator's knowledge or consent [2]. This results in privilege escalation and compromise of the clan management system, leading to unauthorized control over the application's administrative functions.

Mitigation

As of the latest available information, Bluethrust Clan Scripts v4 remains unpatched for this CSRF vulnerability [1], [2]. The project appears to be inactive, with no official fix or update released. Users should consider migrating to an alternative, actively maintained clan management solution. If continued use is necessary, administrators should implement additional security controls such as custom CSRF tokens, origin/referrer header checks, or deploying a web application firewall to detect and block crafted cross-origin requests.