Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Valid

Reported on

Sep 24th 2021


Description

CSRF allows enable/disable bots CSRF allows flush chatbox

Proof of Concept

After logging in to unit3d.site,
Access this link: https://unit3d.site/dashboard/chat/bots/2/disable, https://unit3d.site/dashboard/chat/bots/2/enable
See that the chat bot is disabled/enabled correspondingly.

Access this link: https://unit3d.site/dashboard/flush/chat
See that chatbox is flushed

Impact

This vulnerability is capable of enabling/disabling chat bots, flusing chatbox.

We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back 2 months ago
We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back 2 months ago
M0rphling modified their report
2 months ago
HDVinnie
2 months ago

I dont see how this is a vulnerability. Those routes are behind a middleware that check if said user is staff or not. If you login to the demo site using a non staff account like Username: System and Password: UNIT3D and try to access those routes you will be redirected to a Error 403 Permission Denied.

Correct me if im wrong here @Ky Tran

M0rphling
2 months ago

Researcher


Hi @HDVinnie, I use this account Username: UNIT3D Password: UNIT3D, access the link and you will see the result. CSRF is a vulnerability that make request on behalf of any user, the goal is to force them to make some action against their will, so the type of user shouldn't matter.

Regards.

HDVinnie validated this vulnerability 2 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie confirmed that a fix has been merged on efb593 2 months ago
HDVinnie has been awarded the fix bounty