Cross-Site Request Forgery (CSRF) in pterodactyl/panel

Valid

Reported on

Nov 15th 2021


Description

Following state-changing endpoints are vulnerable to CSRF:

1: GET /admin/nodes/view/1/settings/token (auto-generates token when token not generated yet)

2: GET /admin/settings/mail/test (The X-CSRF-Token header for the API request is not validated on backend, should be a POST request to make things easy imo)

Proof of Concept

<a href="http://[pterodactyl-url]/admin/settings/mail/test">CLICK ME!</a>
<a href="http://[pterodactyl-url]/admin/nodes/view/1/settings/token">CLICK ME!</a>

Impact

This vulnerability is capable of tricking admin users to spam unwanted test emails to admin user / token generation

Occurences

generate token frontend

test mail api

test mail frontend

generate token api

test mail backend (x-csrf-token not validated)

We are processing your report and will contact the pterodactyl/panel team within 24 hours. 16 days ago
haxatron modified their report
15 days ago
We have contacted a member of the pterodactyl/panel team and are waiting to hear back 15 days ago
We have contacted a member of the pterodactyl/panel team and are waiting to hear back 15 days ago
Dane Everitt validated this vulnerability 14 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dane Everitt confirmed that a fix has been merged on bf9cbe 14 days ago
Dane Everitt has been awarded the fix bounty
admin.php#L156 has been validated
admin.php#L69 has been validated
mail.blade.php#L137L161 has been validated
MailController.php#L110L120 has been validated
haxatron
14 days ago

Researcher


Dear @admin, please remove CVE as per maintainers wishes in this report https://huntr.dev/bounties/2a082a11-b41e-4155-afaf-3f93a0bc23c6/

Dane Everitt
14 days ago

Maintainer


@admin please do not create a CVE, this project uses GitHub for security alerting and CVE handling.

https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6

haxatron
14 days ago

Researcher


I have informed @admin via Discord. There is a delay between report validation and CVE creation, so not to worry.

Jamie Slome
14 days ago

Admin


@daneeveritt - we have removed the CVE from this report.