Cross-Site Request Forgery (CSRF) in erudika/scoold
Jun 20th 2021
/voteup/question/* endpoint does not have a CSRF protection. This could be exploited by an attacker to manipulate votes in a question.
🕵️♂️ Proof of Concept
An attacker creates the following web page and sends a link to a logged in user.
// PoC.html <html> <head> <meta name="referrer" content="no-referrer"> </head> <body> <a href="https://live.scoold.com/voteup/question/1279016709126098944">Click Here</a> </body> </html>
When an authenticated user clicks the link, a vote is made on behalf of the user without the user actually knowing.
This attack could be easily prevented by requiring a valid CSRF token to validate the click.
Hey @oomb, since I couldn't find a security policy or contact email address on the repository, I've created an issue asking for a way to responsibly inform them of this vulnerability. Waiting to hear back, good job!
Thank you Alex! May I kindly ask whether there is a reason that you wished not to claim the fix bounty? Your feedback would be much appreciated, thanks 🙏
I still can't understand how this site works... Are these rewards supposed to support maintainers for fixes like this? Anyways, our projects are fully funded by our backing company so that reward is irrelevant to me.
Also I've just noticed that my profile says "0 fixes" - how come?
Oops! Is this a bug?
Hello Alex, we allow the maintainer to select themselves as the fixer if they patched the vulnerability themselves. When you confirm the fix, you need to just select yourself as the fixer. This will also reflect the fix on your profile.
With regards to the above, do you want this advisory to be marked as valid or invalid?
Thanks for clarifying that Jamie! The report is valid for sure. I was just playing around and managed to click the disabled "mark as invalid" button, which should not have had any effect but it did.
@Alex, apologies for the confusion. From a data perspective, it hasn't actually been reflected as invalid. I will remove the above statuses to prevent confusion when viewing the page.
I will also make sure the
mark as invalid button is disabled once the status is set.
Yes, that's a good idea. Thanks again for the support!