Cross-Site Request Forgery (CSRF) in yourls/yourls
Dec 24th 2021
- Hi there YOURLS team, I would like to report a Cross Site Request forgery vulenrability on YOURLS. Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.
- In case of YOURLS, this CSRF allows a hacker to trick user to logout of yourls.
Proof of Concept
- Install a local instace of YOURLS
- Access this link: admin/index.php?action=logout
- See that you are logged out of yourls.
- In the real attack scenario, the hacker would feed this URL to the targeted user, and when they click the links, they are automatically logged out of YOURLS
This vulnerability is capable of CSRF.