Cross-Site Request Forgery (CSRF) in area17/twill

Valid

Reported on

Oct 27th 2021


Description

Attacker is able to logout a user if a logged in user visits attacker website.

Impact

This vulnerability is capable of forging user to unintentional logout.

Test

Tested on Edge, firefox, chrome and safari.

Fix

You should use POST instead of GET.

To expand:

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out.

This is why it should be a POST with a @csrf token.

While this cannot harm a users account it can be a great annoyance.

We have contacted a member of the area17/twill team and are waiting to hear back a month ago
We have contacted a member of the area17/twill team and are waiting to hear back a month ago
We have contacted a member of the area17/twill team and are waiting to hear back a month ago
We have sent a follow up to the area17/twill team. We will try again in 7 days. a month ago
We have sent a follow up to the area17/twill team. We will try again in 7 days. a month ago
We have sent a follow up to the area17/twill team. We will try again in 7 days. a month ago
Patrick Boivin validated this vulnerability a month ago
HDVinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick Boivin confirmed that a fix has been merged on 81d80d 23 days ago
Patrick Boivin has been awarded the fix bounty
auth.php#L8 has been validated
_user.blade.php#L17 has been validated