Cross-Site Request Forgery (CSRF) in namelessmc/nameless

Valid

Reported on

Oct 14th 2021


Description

More instances of CSRF

Proof of Concept

/index.php?route=/panel/users/reports/&action=close&id=1
/index.php?route=/panel/users/reports/&action=open&id=1
/index.php?route=/panel/core/emails/errors/&do=delete&id=2
/index.php?route=/panel/core/emails/errors/&do=purge
/index.php?route=/panel/core/errors/&log=fatal&do=purge
/index.php?route=/panel/minecraft/query_errors/&action=purge

Impact

This vulnerability is capable of tricking the admin to close and open user reports against other players, deletion of important logs.

Occurrences

open reports backend

delete email errors backend

purge minecraft query errors frontend

purge logs frontend

purge logs backend

purge email errors frontend

delete minecraft query errors backend

delete email errors frontend

close/reopen reports frontend

close reports backend

purge minecraft query errors backend

We have contacted a member of the namelessmc/nameless team and are waiting to hear back a year ago
haxatron modified the report
a year ago
Sam validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
haxatron
a year ago

Researcher


Hi @maintainer could the fix be submitted here too

haxatron
a year ago

Researcher


Sorry, I had assumed that the fix for all the CSRF is done. please take your time on working on the fix.

haxatron
9 months ago

Researcher


@maintainer I don't think this seems to be fixed yet

Sam
3 months ago

Maintainer


Apologies - forgot to mark this as resolved

Sam
3 months ago

Maintainer


In fact, after another inspection, it appears there may be a couple more (low-impact) requests still using GET so I will keep this open until they are resolved.

haxatron
3 months ago

Researcher


No worries, take your time! :)

(I am getting nostalgia from this report, back when I first started.)

Sam confirmed that a fix has been merged on 6151b6 2 months ago
The fix bounty has been dropped
emails_errors.php#L32 has been validated
errors_view.tpl#L34L88 has been validated
errors.php#L23L28 has been validated
emails_errors.tpl#L107L117 has been validated
emails_errors.tpl#L128L138 has been validated
users_reports.php#L285L304 has been validated
users_reports.php#L314L334 has been validated
to join this conversation