/

Cross-Site Request Forgery (CSRF) in pterodactyl/panel

Valid

Reported on

Nov 15th 2021

Description

Following state-changing endpoints are vulnerable to CSRF:

1: GET /admin/nodes/view/1/settings/token (auto-generates token when token not generated yet)

2: GET /admin/settings/mail/test (The X-CSRF-Token header for the API request is not validated on backend, should be a POST request to make things easy imo)

Proof of Concept

<a href="http://[pterodactyl-url]/admin/settings/mail/test">CLICK ME!</a>
<a href="http://[pterodactyl-url]/admin/nodes/view/1/settings/token">CLICK ME!</a>

Impact

This vulnerability is capable of tricking admin users to spam unwanted test emails to admin user / token generation

Occurrences

configuration.blade.php L71L88

generate token frontend

admin.php L69

test mail api

mail.blade.php L137L161

test mail frontend

admin.php L156

generate token api

MailController.php L110L120

test mail backend (x-csrf-token not validated)

We are processing your report and will contact the pterodactyl/panel team within 24 hours. a year ago

haxatron modified the report

a year ago

We have contacted a member of the pterodactyl/panel team and are waiting to hear back a year ago

Dane Everitt validated this vulnerability a year ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

Dane Everitt marked this as fixed with commit bf9cbe a year ago

Dane Everitt has been awarded the fix bounty

This vulnerability will not receive a CVE

configuration.blade.php#L71L88 has been validated

admin.php#L156 has been validated

admin.php#L69 has been validated

mail.blade.php#L137L161 has been validated

MailController.php#L110L120 has been validated

commented a year ago

Researcher

Dear @admin, please remove CVE as per maintainers wishes in this report https://huntr.dev/bounties/2a082a11-b41e-4155-afaf-3f93a0bc23c6/

commented a year ago

Maintainer

@admin please do not create a CVE, this project uses GitHub for security alerting and CVE handling.

https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6

commented a year ago

Researcher

I have informed @admin via Discord. There is a delay between report validation and CVE creation, so not to worry.

commented a year ago

Admin

@daneeveritt - we have removed the CVE from this report.

to join this conversation

We are processing your report and will contact the pterodactyl/panel team within 24 hours. a year ago

haxatron modified the report

a year ago

We have contacted a member of the pterodactyl/panel team and are waiting to hear back a year ago

Dane Everitt validated this vulnerability a year ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

Dane Everitt marked this as fixed with commit bf9cbe a year ago

Dane Everitt has been awarded the fix bounty

This vulnerability will not receive a CVE

configuration.blade.php#L71L88 has been validated

admin.php#L156 has been validated

admin.php#L69 has been validated

mail.blade.php#L137L161 has been validated

MailController.php#L110L120 has been validated

commented a year ago

Researcher

Dear @admin, please remove CVE as per maintainers wishes in this report https://huntr.dev/bounties/2a082a11-b41e-4155-afaf-3f93a0bc23c6/

commented a year ago

Maintainer

@admin please do not create a CVE, this project uses GitHub for security alerting and CVE handling.

https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6

commented a year ago

Researcher

I have informed @admin via Discord. There is a delay between report validation and CVE creation, so not to worry.

commented a year ago

Admin

@daneeveritt - we have removed the CVE from this report.

to join this conversation