Cross-Site Request Forgery (CSRF) in emoncms/dashboard

Valid

Reported on

Jul 22nd 2021


ūüí• BUG

csrf bug to change schedule to public

ūüí• STEP TO REPRODUCE

  1. First login into your account and open the link http://localhost/emoncms/schedule/set.json?id=1&fields={%22public%22:true} and your schedule will be change from private to public.

ūüí• IMPACT

Any attacker can send those link to vicitm and when vicitm open the link then schedule status will be change will be changed

ūüí• STUDY

https://portswigger.net/web-security/csrf
https://www.imperva.com/learn/application-security/csrf-cross-site-request-forgery/
https://owasp.org/www-community/attacks/csrf\

ūüďć Location dashboard_config.php#L78

We have contacted a member of the emoncms/dashboard team and are waiting to hear back 2 months ago
A emoncms/dashboard maintainer
2 months ago

Maintainer


Thanks @ranjit-git, I believe that I have fixed this with this commit to emoncms core https://github.com/emoncms/emoncms/commit/ca1f5c3165fc51cfda4451c808c68ec877009523 are you able to change the git repository of this disclosure to emoncms/emoncms?

Your other disclosure's also appear to be all associated with github.com/emoncms/emoncms/ rather than github.com/emoncms/dashboard.

I will work through these over the next couple of days and get back to you on each one hopefully by the end of the week.

Thanks a lot for your detailed work on these.

A emoncms/dashboard maintainer validated this vulnerability 2 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
ranjit-git
2 months ago

Researcher


@maintainer, it seems bug is in main core rather than component . you can valided the remaining report . I will ask admin to change the repo url and then you can confirm the fix .

A emoncms/dashboard maintainer confirmed that a fix has been merged on 58af4f 2 months ago
The fix bounty has been dropped
A emoncms/dashboard maintainer
2 months ago

Maintainer


Here's the fix in the core repo https://github.com/emoncms/emoncms/commit/5e08ec969c1a1ceb483e2ef08bb2073f981ceada

I will link last commit in the dashboard repo to close this issue.

Thanks again!

ranjit-git modified their report
a month ago