Cross-Site Request Forgery (CSRF) in namelessmc/nameless
Reported on
Oct 14th 2021
Description
More instances of CSRF
Proof of Concept
/index.php?route=/panel/users/reports/&action=close&id=1
/index.php?route=/panel/users/reports/&action=open&id=1
/index.php?route=/panel/core/emails/errors/&do=delete&id=2
/index.php?route=/panel/core/emails/errors/&do=purge
/index.php?route=/panel/core/errors/&log=fatal&do=purge
/index.php?route=/panel/minecraft/query_errors/&action=purge
Impact
This vulnerability is capable of tricking the admin to close and open user reports against other players, deletion of important logs.
Occurrences
users_reports.php L314L334
open reports backend
emails_errors.php L32
delete email errors backend
minecraft_query_errors.tpl L115L129
purge minecraft query errors frontend
errors_view.tpl L34L88
purge logs frontend
errors.php L23L28
purge logs backend
emails_errors.tpl L128L138
purge email errors frontend
minecraft_query_errors.php L89L94
delete minecraft query errors backend
emails_errors.tpl L107L117
delete email errors frontend
users_reports_view.tpl L111L113
close/reopen reports frontend
users_reports.php L285L304
close reports backend
minecraft_query_errors.php L24L30
purge minecraft query errors backend
Sorry, I had assumed that the fix for all the CSRF is done. please take your time on working on the fix.
In fact, after another inspection, it appears there may be a couple more (low-impact) requests still using GET so I will keep this open until they are resolved.
No worries, take your time! :)
(I am getting nostalgia from this report, back when I first started.)