Cross-Site Request Forgery (CSRF) in collectiveaccess/providence

Valid

Reported on

Sep 25th 2021


Description

No CSRF token and GET requests allowed in Data and Metadata imports

Proof of Concept

1. Login as administrator
2. Create a directory called test in /import directory and put a CSV file inside
3. On the browser with administrator cookies, visit http://[WEB-SERVER]/providence/index.php/batch/MediaImport/Save/Screen42?_formName=caBatchMediaImportForm&import_target=ca_entities&directory=test&import_mode=TRY_TO_MATCH&ca_entities_type_id=89&ca_object_representations_type_id=140&ca_entities_representation_relationship_type=23&set_mode=none&idno_mode=form&idno_entity_number=&ca_entities_status=0&ca_entities_access=0&ca_object_representations_status=0&ca_object_representations_access=0&match_mode=FILE_NAME&match_type=EXACT&ca_entities_limit_matching_to_type_ids%5b%5d=89&representation_idno_mode=form&idno_representation_number=&skip_file_list=&log_level=3
4. You should see success message indicating no CSRF token required

Important Note: Metadata imports are not very dangerous because files are required to be install in /import. However, Data Imports are also vulnerable to this, in that case, the it is more dangerous as files can be sent over HTTP requests and do not need to be stored in /import directory. I did not choose to use this because I do not know the required format of Data Imports and Media imports were easier to demonstrate. However I have also found out that CSRF tokens are also not being used in Data Imports. Thus I have rated the CVSS according to this.

Impact

This vulnerability is capable of allowing an attacker to disrupt the database by getting the administrator to click on a malicious hyperlink with malicious Data Imports through Media and Data Imports.

Recommended fix

Enable CSRF token for Data Imports (recommended) and Media Imports (optional)

We have contacted a member of the collectiveaccess/providence team and are waiting to hear back 2 months ago
haxatron modified their report
2 months ago
CollectiveAccess
2 months ago

Maintainer


These would be hard to exploit and would result in the user watching the import process go by. All changes would be logged and obvious. Still, there's no reason why these forms shouldn't have CSRF enabled on them. I'm not sure why we didn't do so earlier, as it's a simple change.

CollectiveAccess validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess confirmed that a fix has been merged on 8362ed 2 months ago
CollectiveAccess has been awarded the fix bounty