Cross Site Request Forgery in Create a Memo Functionality (POST /api/memo) in usememos/memos
Reported on
Dec 27th 2022
Description
I have discovered in Memos a CSRF Vulnerability (in Create a Memo Functionality (POST /api/memo).
I have identified that it is possible to manipulate the actions of authenticated users by tricking them into clicking on a malicious link or visiting a malicious website while they are logged into Memos. This can allow an attacker to perform actions on behalf of the victim, such as creating or modifying memos.
To reproduce the vulnerability, I followed these steps:
- I logged into the Memos application with a valid account.
- I created a malicious HTML file containing a form that submits a request to the Memos application to create a new memo, with the title and content set to a predetermined value:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:5230/api/memo" method="POST" enctype="text/plain">
<input type="hidden" name="{"content":"CSRF","visibility":"PRIVATE","resourceIdList":[]}" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
- I hosted the malicious HTML file on a server and shared the link with a victim who was also logged into the Memos application.
- When the victim clicked on the link, a new memo was created in their account with the predetermined title and content, without their knowledge or consent.
I have attached a proof-of-concept HTML file and a video demonstrating the vulnerability to this report.
The Cross-Site Request Forgery (CSRF) vulnerability in the application is occurring because the application is not validating the Content-Type to be of the type application/json and is allowing the submission of text/plain.
By allowing requests with text/plain as the Content-Type, the application is vulnerable to CSRF attacks
Proof of Concept
https://drive.google.com/file/d/10eIE2pXRcVDT1juyGu5_MSmvzgTmj_35/view?usp=sharing
Remediation
I recommend that you take the following steps to mitigate this vulnerability: Implement proper CSRF protection, such as including a unique token in all forms and verifing it on the server-side. The application should validate the Content-Type of requests to ensure that they are of the correct type, such as application/json. This will prevent attackers from being able to leverage the vulnerability to perform unauthorized actions.
Impact
A Cross-Site Request Forgery (CSRF) vulnerability can have significant impact on the security and integrity of an application.
If exploited, a CSRF vulnerability can allow an attacker to perform actions on behalf of an authenticated user, without their knowledge or consent. This can lead to unauthorized access to sensitive information, modification or deletion of data, and other malicious actions.
In addition to the direct impact on users, a CSRF vulnerability can also damage the reputation and trust of the affected application and its owner. Users may lose confidence in the security of the application and may be less likely to use it, leading to potential financial losses for the business.
It is important for organizations to take steps to prevent and mitigate CSRF vulnerabilities in their applications, in order to protect their users and maintain the trust and integrity of their systems.
References
