Cross-Site Request Forgery (CSRF) in spiral-project/ihatemoney

Valid

Reported on

May 15th 2022


Summary: Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. ... If the victim is an administrative account, CSRF can compromise the entire web application.

Steps To Reproduce: 1.Create a CSRF logout POC using the following code. Code That i use:-- <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://ihatemoney.org/exit"> <input type="submit" value="Submit request" /> </form> </body> </html>

Impact

This vulnerability is capable of CSRF. Logout any victim into the attacker account, send the HTML made by attacker and then logout him from the Session. The hacker selected the Cross-Site Request Forgery (CSRF) weakness.

We are processing your report and will contact the spiral-project/ihatemoney team within 24 hours. 3 months ago
We have contacted a member of the spiral-project/ihatemoney team and are waiting to hear back 3 months ago
We have sent a follow up to the spiral-project/ihatemoney team. We will try again in 7 days. 2 months ago
We have sent a second follow up to the spiral-project/ihatemoney team. We will try again in 10 days. 2 months ago
spiral-project/ihatemoney maintainer has acknowledged this report 2 months ago
tharunavula
2 months ago

Researcher


hi team,

is there any update on this?

regards, Tharun

spiral-project/ihatemoney maintainer modified the Severity from Critical to Low 20 days ago
spiral-project/ihatemoney maintainer modified the Severity from Low to Critical (10) 20 days ago
spiral-project/ihatemoney maintainer modified the Severity from Critical (10) to Critical (10) 20 days ago
spiral-project/ihatemoney maintainer modified the Severity from Critical (10) to High (8.8) 20 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
spiral-project/ihatemoney maintainer validated this vulnerability 20 days ago
tharunavula has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
spiral-project/ihatemoney maintainer confirmed that a fix has been merged on 31fef4 20 days ago
The fix bounty has been dropped
to join this conversation