Cross-Site Request Forgery (CSRF) in namelessmc/nameless

Valid

Reported on

Oct 10th 2021

Description

Several endpoints are vulnerable to CSRF

1: module install /index.php?route=/panel/core/modules/&action=install

2: clear template cache /index.php?route=/panel/core/panel_templates/&action=clear_cache

3: install templates, activate template, deactivate template, delete template, make_default... /index.php?route=/panel/core/panel_templates/&action=install

4: purge alerts /index.php?route=/user/alerts/&action=purge

Proof of Concept

Open up this index.html
<img src="http://[NAMELESS]/index.php?route=/panel/core/panel_templates/&action=clear_cache">

Impact

This vulnerability is capable modifying templates, clearing cache and installing modules by tricking the admin user

Occurrences

install_template & clear_cache html

purge alerts

deactivate template

install module

purge alerts html

install module html

We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 years ago
haxatron modified the report
2 years ago
Sam validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
namelessmc/nameless maintainer marked this as fixed with commit 803104 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
panel_templates.tpl#L39L42 has been validated
panel_templates.php#L224L245 has been validated
panel_templates.php#L187L220 has been validated
alerts.tpl#L1L57 has been validated
panel_templates.tpl#L87 has been validated
modules.tpl#L32L79 has been validated
panel_templates.tpl#L72 has been validated
alerts.php#L24L83 has been validated
panel_templates.php#L248L286 has been validated
panel_templates.php#L290L327 has been validated
modules.php#L271L298 has been validated
panel_templates.php#L159L183 has been validated
to join this conversation