Cross-Site Request Forgery (CSRF) in collectiveaccess/providence


Reported on

Sep 25th 2021


No CSRF token and GET requests allowed in Data and Metadata imports

Proof of Concept

1. Login as administrator
2. Create a directory called test in /import directory and put a CSV file inside
3. On the browser with administrator cookies, visit http://[WEB-SERVER]/providence/index.php/batch/MediaImport/Save/Screen42?_formName=caBatchMediaImportForm&import_target=ca_entities&directory=test&import_mode=TRY_TO_MATCH&ca_entities_type_id=89&ca_object_representations_type_id=140&ca_entities_representation_relationship_type=23&set_mode=none&idno_mode=form&idno_entity_number=&ca_entities_status=0&ca_entities_access=0&ca_object_representations_status=0&ca_object_representations_access=0&match_mode=FILE_NAME&match_type=EXACT&ca_entities_limit_matching_to_type_ids%5b%5d=89&representation_idno_mode=form&idno_representation_number=&skip_file_list=&log_level=3
4. You should see success message indicating no CSRF token required

Important Note: Metadata imports are not very dangerous because files are required to be install in /import. However, Data Imports are also vulnerable to this, in that case, the it is more dangerous as files can be sent over HTTP requests and do not need to be stored in /import directory. I did not choose to use this because I do not know the required format of Data Imports and Media imports were easier to demonstrate. However I have also found out that CSRF tokens are also not being used in Data Imports. Thus I have rated the CVSS according to this.


This vulnerability is capable of allowing an attacker to disrupt the database by getting the administrator to click on a malicious hyperlink with malicious Data Imports through Media and Data Imports.

Recommended fix

Enable CSRF token for Data Imports (recommended) and Media Imports (optional)

We have contacted a member of the collectiveaccess/providence team and are waiting to hear back a year ago
haxatron modified the report
a year ago
a year ago


These would be hard to exploit and would result in the user watching the import process go by. All changes would be logged and obvious. Still, there's no reason why these forms shouldn't have CSRF enabled on them. I'm not sure why we didn't do so earlier, as it's a simple change.

CollectiveAccess validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess confirmed that a fix has been merged on 8362ed a year ago
CollectiveAccess has been awarded the fix bounty
to join this conversation