Cross-Site Request Forgery (CSRF) in yourls/yourls

Valid

Reported on

Dec 24th 2021


Description

  1. Hi there YOURLS team, I would like to report a Cross Site Request forgery vulenrability on YOURLS. Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.
  2. In case of YOURLS, this CSRF allows a hacker to trick user to logout of yourls.

Proof of Concept

  1. Install a local instace of YOURLS
  2. Access this link: admin/index.php?action=logout
  3. See that you are logged out of yourls.
  4. In the real attack scenario, the hacker would feed this URL to the targeted user, and when they click the links, they are automatically logged out of YOURLS

Impact

This vulnerability is capable of CSRF.

We are processing your report and will contact the yourls team within 24 hours. 5 months ago
We have contacted a member of the yourls team and are waiting to hear back 5 months ago
྅༻ Ǭɀħ ༄༆ཉ
5 months ago

Maintainer


Yeah, indeed. Thanks for reporting. I've filed an issue as a reminder and will check this after the holidays https://github.com/YOURLS/YOURLS/issues/3170

M0rphling
5 months ago

Researcher


HI there, thank you for your response. Would you mind validating this report?

We have sent a follow up to the yourls team. We will try again in 7 days. 5 months ago
We have sent a second follow up to the yourls team. We will try again in 10 days. 5 months ago
yourls/yourls maintainer validated this vulnerability 5 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
྅༻ Ǭɀħ ༄༆ཉ confirmed that a fix has been merged on 1de256 2 months ago
྅༻ Ǭɀħ ༄༆ཉ has been awarded the fix bounty
admin-ajax.php#L43 has been validated
྅༻ Ǭɀħ ༄༆ཉ
2 months ago

Maintainer


Note that it's the 3rd or 4th time I have been "awared the fix bounty" and I have not yet been actually awarded something... :)

to join this conversation