Cross-Site Request Forgery (CSRF) in laravelio/laravel.io

Valid

Reported on

Dec 14th 2021


Description

This CSRF is capable of making a user unintentionally subscribe and unsubscribe to a thread.

Proof of Concept

Visit https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/subscribe

Visit https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/unsubscribe

Impact

One way GET could be abused here is that a person placed an image tag with src=" https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/subscribe" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly subscribed to a thread. Same can be done with a URL shortener or alike. This is a state changing route and thus should be a POST with a @csrf token.

We are processing your report and will contact the laravelio/laravel.io team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
HDVinnie
2 years ago

Researcher


@admin All occurrences have been validated and fixed by the maintainer

https://github.com/laravelio/laravel.io/commit/e22474e401d209963651fcd25f8b11a017e76636

HDVinnie
2 years ago

Researcher


Commit SHA e22474e401d209963651fcd25f8b11a017e76636

We have contacted a member of the laravelio/laravel.io team and are waiting to hear back 2 years ago
Jamie Slome
2 years ago

@hdvinnie - we can no longer validate reports on behalf of the maintainers, and so will require the maintainer to mark this report as valid.

We have sent a follow up to the laravelio/laravel.io team. We will try again in 4 days. 2 years ago
We have sent a second follow up to the laravelio/laravel.io team. We will try again in 7 days. 2 years ago
We have sent a third follow up to the laravelio/laravel.io team. We will try again in 14 days. 2 years ago
Jamie Slome
2 years ago

Following up for you on this here.

Jamie Slome validated this vulnerability 2 years ago
hdvinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome marked this as fixed in e22474e401d209963651fcd25f8b11a017e76636 with commit e22474 2 years ago
The fix bounty has been dropped
subscribe.blade.php#L7-L29 has been validated
web.php#L89-L90 has been validated
to join this conversation