Cross-Site Request Forgery (CSRF) in collectiveaccess/pawtucket2

Valid

Reported on

Oct 4th 2021


Description

After taking a look at the application again, I found few more (create / update) endpoints which should have CSRF protection

Proof of Concept

http://[PAWTUCKET-URL]/pawtucket/index.php/Lightbox/saveUserGroup?name=123&description=abc&group_id=         
http://[PAWTUCKET-URL]/pawtucket/index.php/Lightbox/ajaxSaveSetInfo?name=abc&description=&set_id=
http://[PAWTUCKET-URL]/pawtucket/index.php/Lightbox/saveShareSet?group_id=15&user=&access=2

Impact

This vulnerability is capable of tricking user to create / modify new lightbox and user groups and add unauthorized users to lightbox

Occurences

Save User Group (validation)

Save Set Info (validation)

Save Share Set (validation)

We have contacted a member of the collectiveaccess/pawtucket2 team and are waiting to hear back 2 months ago
haxatron modified their report
2 months ago
haxatron modified their report
2 months ago
CollectiveAccess
2 months ago

Maintainer


There are others too. Fix covers additional endpoints... I think this is everything. (Should've done this to begin with, but time is short).

haxatron
2 months ago

Researcher


Yep looks like those are everything, apologies for missing out SetAccess. Could you validate this report?

CollectiveAccess validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess confirmed that a fix has been merged on 47dffa 2 months ago
CollectiveAccess has been awarded the fix bounty