Cross-Site Request Forgery (CSRF) in alanaktion/phproject
Reported on
Aug 2nd 2021
✍️ Description
Attacker able to delete any group with CSRF attack.
It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application.
In CSRF attacks it is necessary that a user logged into your application just going to a malicious website and after that only with a redirection attacker can delete a group, this means only with visiting a site a group will be deleted.
🕵️♂️ Proof of Concept
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8000/phproject/admin/groups/4/delete">
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Here a group with id equal to 4 will be deleted after clicking on submit button on PoC.html file.
Also for real attacks the submit button can be auto-submit.
💥 Impact
This vulnerability is capable of delete any group.
Fix
set a token with a length bigger that 16 characters then attacker never can guess the url.
Also you cat turn Lax to Strict in cookies.
📍 Location
index.php#L1
Occurrences
I've been aware of the CSRF issues for a long time now but a proper fix to them would require major reworking that the project doesn't have the resources for right now. The samesite cookie option should be possible to implement but won't fully fix the issue.
I would consider the other CSRF vulnerability reports to be the same issue, since it is universal to all form submissions in the application.
Advisory GHSA-3xfh-h685-w25m on GitHub is where I've been documenting and working on this. I'll implement the samesite cookie change there to start, but it doesn't fully address the issue because of other limitations in the project right now.