Cross-Site Request Forgery (CSRF) in laravelio/laravel.io

Valid

Reported on

Dec 14th 2021


Description

This CSRF is capable of making a user unintentionally subscribe and unsubscribe to a thread.

Proof of Concept

Visit https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/subscribe

Visit https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/unsubscribe

Impact

One way GET could be abused here is that a person placed an image tag with src=" https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/subscribe" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly subscribed to a thread. Same can be done with a URL shortener or alike. This is a state changing route and thus should be a POST with a @csrf token.

We are processing your report and will contact the laravelio/laravel.io team within 24 hours. 5 months ago
HDVinnie
5 months ago

Researcher


@admin All occurrences have been validated and fixed by the maintainer

https://github.com/laravelio/laravel.io/commit/e22474e401d209963651fcd25f8b11a017e76636

HDVinnie
5 months ago

Researcher


Commit SHA e22474e401d209963651fcd25f8b11a017e76636

We have contacted a member of the laravelio/laravel.io team and are waiting to hear back 5 months ago
Jamie Slome
5 months ago

Admin


@hdvinnie - we can no longer validate reports on behalf of the maintainers, and so will require the maintainer to mark this report as valid.

We have sent a follow up to the laravelio/laravel.io team. We will try again in 7 days. 5 months ago
We have sent a second follow up to the laravelio/laravel.io team. We will try again in 10 days. 5 months ago
We have sent a third and final follow up to the laravelio/laravel.io team. This report is now considered stale. 5 months ago
Jamie Slome
3 months ago

Admin


Following up for you on this here.

Jamie Slome validated this vulnerability 3 months ago
HDVinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome confirmed that a fix has been merged on e22474 3 months ago
The fix bounty has been dropped
subscribe.blade.php#L7-L29 has been validated
web.php#L89-L90 has been validated
to join this conversation