Cross-Site Request Forgery (CSRF) in pterodactyl/panel

Valid

Reported on

Oct 23rd 2021

Description

Attacker is able to logout a user if a logged in user visits attacker website.

Impact

This vulnerability is capable of forging user to unintentional logout.

Test

Tested on Firefox, Chrome and Safari.

Fix

You use POST instead of GET.

To expand:

One way ANY could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out.

This is why it should be a POST with a @csrf token and not GET.

While this cannot harm a users account it can be a great annoyance.

We have contacted a member of the pterodactyl/panel team and are waiting to hear back 2 years ago

Dane Everitt validated this vulnerability 2 years ago

HDVinnie has been awarded the disclosure bounty

The fix bounty is now up for grabs

Dane Everitt

commented 2 years ago

Maintainer

@admin please do not create a CVE — we handle disclosures and CVE issuance through through GitHub's security tooling, not third-parties. Additionally the CVSS score for this report is incorrect.

Dane Everitt marked this as fixed with commit 45999b 2 years ago

Dane Everitt has been awarded the fix bounty

This vulnerability will not receive a CVE

Jamie Slome

commented 2 years ago

Admin

@maintainer - a CVE will not be created for this report. Can you please confirm with the researcher, the appropriate CVSS score for this report, and we can look to update this for you.

Cheers! 🎊

Dane Everitt

commented 2 years ago

Maintainer

The security advisory is published here: https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6

Per GitHub's scoring it is a 0 due to the fact that it only signs a single user out, and is an annoyance rather than an actual exploit or ability to exfiltrate any data.

HDVinnie

commented 2 years ago

Researcher

Github uses a different scoring. The score really is not up to me. Even so I cannot change it at this point. You can test here https://huntr.dev/bounties/disclose/ with your repo url to see the scoring for CSRF. If I was off on a value then my apologies. But as I noted in the description while this is a VALID CSRF it is not harmful and is more of a annoyance that can be easily fixed.

to join this conversation

We have contacted a member of the pterodactyl/panel team and are waiting to hear back 2 years ago

Dane Everitt validated this vulnerability 2 years ago

HDVinnie has been awarded the disclosure bounty

The fix bounty is now up for grabs

Dane Everitt

commented 2 years ago

Maintainer

@admin please do not create a CVE — we handle disclosures and CVE issuance through through GitHub's security tooling, not third-parties. Additionally the CVSS score for this report is incorrect.

Dane Everitt marked this as fixed with commit 45999b 2 years ago

Dane Everitt has been awarded the fix bounty

This vulnerability will not receive a CVE

Jamie Slome

commented 2 years ago

Admin

@maintainer - a CVE will not be created for this report. Can you please confirm with the researcher, the appropriate CVSS score for this report, and we can look to update this for you.

Cheers! 🎊

Dane Everitt

commented 2 years ago

Maintainer

The security advisory is published here: https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6

Per GitHub's scoring it is a 0 due to the fact that it only signs a single user out, and is an annoyance rather than an actual exploit or ability to exfiltrate any data.

HDVinnie

commented 2 years ago

Researcher

to join this conversation