Cross-Site Request Forgery (CSRF) in namelessmc/nameless

Valid

Reported on

Oct 10th 2021


Description

Several endpoints are vulnerable to CSRF

1: module install /index.php?route=/panel/core/modules/&action=install

2: clear template cache /index.php?route=/panel/core/panel_templates/&action=clear_cache

3: install templates, activate template, deactivate template, delete template, make_default... /index.php?route=/panel/core/panel_templates/&action=install

4: purge alerts /index.php?route=/user/alerts/&action=purge

Proof of Concept

Open up this index.html
<img src="http://[NAMELESS]/index.php?route=/panel/core/panel_templates/&action=clear_cache">

Impact

This vulnerability is capable modifying templates, clearing cache and installing modules by tricking the admin user

Occurences

install_template & clear_cache html

purge alerts

deactivate template

install module

purge alerts html

install module html

We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 months ago
We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 months ago
We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 months ago
We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 months ago
haxatron modified their report
2 months ago
Sam validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
namelessmc/nameless maintainer confirmed that a fix has been merged on 803104 a month ago
The fix bounty has been dropped
panel_templates.tpl#L39L42 has been validated
alerts.tpl#L1L57 has been validated
panel_templates.tpl#L87 has been validated
modules.tpl#L32L79 has been validated
panel_templates.tpl#L72 has been validated
alerts.php#L24L83 has been validated
modules.php#L271L298 has been validated