Cross-Site Request Forgery (CSRF) in code16/sharp

Valid

Reported on

Nov 9th 2021


Description

Attacker is able to logout a user if a logged in user visits attacker website.

Impact

This vulnerability is capable of forging user to unintentional logout.

Test

Tested on Edge, firefox, chrome and safari.

Fix

You should use POST instead of GET.

To expand:

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="https://example.com/logout" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out.

This is why it should be a POST with a @csrf token.

While this cannot harm a users account it can be a great annoyance and is considered a valid CSRF.

We are processing your report and will contact the code16/sharp team within 24 hours. 2 years ago
HDVinnie
2 years ago

Researcher


As noted in the description. "While this cannot harm a users account it can be a great annoyance and is aa valid CSRF." As a maintainer of a few Laravel projects myself this is a simple fix. You will see that laravel itself now uses a POST request for logout and not GET. See laravel-ui, laravel-breeze and laravel-jetstream for references. You can also find info on Laracasts forums and laravel issue tracker.

We have contacted a member of the code16/sharp team and are waiting to hear back 2 years ago
We have sent a follow up to the code16/sharp team. We will try again in 4 days. 2 years ago
We have sent a second follow up to the code16/sharp team. We will try again in 7 days. 2 years ago
We have sent a third follow up to the code16/sharp team. We will try again in 14 days. 2 years ago
HDVinnie
2 years ago

Researcher


@admin please see https://github.com/code16/sharp/issues/362

I am requesting manual validation.

Jamie Slome
2 years ago

I have written a comment on the GitHub Issue, and will await a response from the maintainer.

Philippe Lonchampt validated this vulnerability 2 years ago
hdvinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
Philippe Lonchampt marked this as fixed in 7.0.0 with commit c84dd9 2 years ago
The fix bounty has been dropped
to join this conversation