Cross-Site Request Forgery (CSRF) in snipe/snipe-it

Valid

Reported on

Nov 6th 2021


Description

Attacker is able to logout a user if a logged in user visits attacker website.

Impact

This vulnerability is capable of forging user to unintentional logout.

Test

Tested on Edge, firefox, chrome and safari.

Fix

You should use POST instead of GET.

To expand:

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out.

This is why it should be a POST with a @csrf token.

While this cannot harm a users account it can be a great annoyance and is aa valid CSRF.

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 25 days ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 24 days ago
snipe
23 days ago

Maintainer


🙄

snipe
23 days ago

Maintainer


To call this a vulnerability is a bit of a stretch

HDVinnie
23 days ago

Researcher


As noted in the description. "While this cannot harm a users account it can be a great annoyance and is aa valid CSRF." As a maintainer of a few Laravel projects myself this is a simple fix. I dont see why you would not just take the 5min to do it. Either way no disrespect if you disagree but it is valid. Mark it as you wish. I won't be upset. You will see that laravel itself now uses a POST request for logout and not GET. See laravel-ui, laravel-breeze and laravel-jetstream for references. You can also find info on Laracasts forums and laravel issue tracker.

snipe validated this vulnerability 23 days ago
HDVinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe
23 days ago

Maintainer


I am taking the time to fix it - but to call it a vulnerability is a bit much. This should have just been a GH issue.

snipe confirmed that a fix has been merged on 38c36a 23 days ago
snipe has been awarded the fix bounty
web.php#L466-L471 has been validated