Cross-Site Request Forgery (CSRF) in laravelio/laravel.io

Valid

Reported on

Dec 14th 2021

Description

This CSRF is capable of making a user unintentionally subscribe and unsubscribe to a thread.

Proof of Concept

Visit https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/subscribe

Visit https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/unsubscribe

Impact

One way GET could be abused here is that a person placed an image tag with src=" https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/subscribe" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly subscribed to a thread. Same can be done with a URL shortener or alike. This is a state changing route and thus should be a POST with a @csrf token.

Occurrences

subscribe.blade.php L7-L29

web.php L89-L90

We are processing your report and will contact the laravelio/laravel.io team within 24 hours. a year ago

HDVinnie

commented a year ago

Researcher

@admin All occurrences have been validated and fixed by the maintainer

https://github.com/laravelio/laravel.io/commit/e22474e401d209963651fcd25f8b11a017e76636

HDVinnie

commented a year ago

Researcher

Commit SHA e22474e401d209963651fcd25f8b11a017e76636

We have contacted a member of the laravelio/laravel.io team and are waiting to hear back a year ago

Jamie Slome

commented a year ago

Admin

@hdvinnie - we can no longer validate reports on behalf of the maintainers, and so will require the maintainer to mark this report as valid.

We have sent a follow up to the laravelio/laravel.io team. We will try again in 7 days. a year ago

We have sent a second follow up to the laravelio/laravel.io team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the laravelio/laravel.io team. This report is now considered stale. a year ago

Jamie Slome

commented a year ago

Admin

Following up for you on this here.

Jamie Slome validated this vulnerability a year ago

HDVinnie has been awarded the disclosure bounty

The fix bounty is now up for grabs

Jamie Slome marked this as fixed in e22474e401d209963651fcd25f8b11a017e76636 with commit e22474 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

subscribe.blade.php#L7-L29 has been validated

web.php#L89-L90 has been validated

to join this conversation

We are processing your report and will contact the laravelio/laravel.io team within 24 hours. a year ago

HDVinnie

commented a year ago

Researcher

@admin All occurrences have been validated and fixed by the maintainer

https://github.com/laravelio/laravel.io/commit/e22474e401d209963651fcd25f8b11a017e76636

HDVinnie

commented a year ago

Researcher

Commit SHA e22474e401d209963651fcd25f8b11a017e76636

We have contacted a member of the laravelio/laravel.io team and are waiting to hear back a year ago

Jamie Slome

commented a year ago

Admin

@hdvinnie - we can no longer validate reports on behalf of the maintainers, and so will require the maintainer to mark this report as valid.

We have sent a follow up to the laravelio/laravel.io team. We will try again in 7 days. a year ago

We have sent a second follow up to the laravelio/laravel.io team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the laravelio/laravel.io team. This report is now considered stale. a year ago

Jamie Slome

commented a year ago

Admin

Following up for you on this here.

Jamie Slome validated this vulnerability a year ago

HDVinnie has been awarded the disclosure bounty

The fix bounty is now up for grabs

Jamie Slome marked this as fixed in e22474e401d209963651fcd25f8b11a017e76636 with commit e22474 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

subscribe.blade.php#L7-L29 has been validated

web.php#L89-L90 has been validated

to join this conversation