Skip to content

[Security Issue] Cross-Site Request Forgery (CSRF) #7169

New issue
New issue
Open
Open
[Security Issue] Cross-Site Request Forgery (CSRF)#7169
Labels
Hi-Pri Buggrid-editgrid-importerhelp wanted
@zidingz

Description

@zidingz
zidingz
opened on Aug 19, 2021

Description

A cross-site request forgery (CSRF) vulnerability occurs when:
A Web application uses session cookies.
The application acts on an HTTP request without verifying that the request was made with the user's consent.

There are 5 cases of CSRF in ui-grid.

  1. The application generates HTTP request via a form post at fileChooserEditor.html line 2.
    PoC:
<div>
  <form
    name="inputForm">
    <input
      ng-class="'colt' + col.uid"
      ui-grid-edit-file-chooser
      type="file"
      id="files"
      name="files[]"
      ng-model="MODEL_COL_FIELD"/>
  </form>
</div>

The form post at fileChooserEditor.html line 2 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location:

ui-grid/packages/edit/src/templates/fileChooserEditor.html

Lines 1 to 12 in 4aa2cc5

<div>
<form
name="inputForm">
<input
ng-class="'colt' + col.uid"
ui-grid-edit-file-chooser
type="file"
id="files"
name="files[]"
ng-model="MODEL_COL_FIELD"/>
</form>
</div>

  1. The application generates HTTP request via a form post at index.html line 124 and at index.html line 149.
    PoC (L124):
<form>
            <div class="col-sm-12 col-md-6 col-lg-4" ng-repeat="v in variables track by $index">
              <label for="{{ v.name }}" class="muted">{{ v.name }}</label> <input id="{{ v.name }}" type="text" class="form-control" ng-model="v.value" ng-change="updateCSS()">
            </div>
          </form>

PoC (L149):

<form>
            <label for="customLess">Custom Less</label>
            <textarea class="form-control" id="customLess" rows="4" ng-model="customLess" ng-change="updateCSS()" ng-init="customLess = ''"></textarea>
          </form>

The form post at index.html line 124 and line 149 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location (124-128):

ui-grid/misc/site/customizer/index.html

Lines 124 to 128 in 4aa2cc5

<form>
<div class="col-sm-12 col-md-6 col-lg-4" ng-repeat="v in variables track by $index">
<label for="{{ v.name }}" class="muted">{{ v.name }}</label> <input id="{{ v.name }}" type="text" class="form-control" ng-model="v.value" ng-change="updateCSS()">
</div>
</form>

Location (149-152):

ui-grid/misc/site/customizer/index.html

Lines 149 to 152 in 4aa2cc5

<form>
<label for="customLess">Custom Less</label>
<textarea class="form-control" id="customLess" rows="4" ng-model="customLess" ng-change="updateCSS()" ng-init="customLess = ''"></textarea>
</form>

  1. The application generates HTTP request via a form post at importerMenuItem.html line 3.
    PoC:
<li
  class="ui-grid-menu-item">
  <form>
    <input
      class="ui-grid-importer-file-chooser"
      type="file"
      id="files"
      name="files[]"/>
  </form>
</li>

The form post at importerMenuItem.html line 3 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location:

ui-grid/packages/importer/src/templates/importerMenuItem.html

Lines 1 to 10 in 4aa2cc5

<li
class="ui-grid-menu-item">
<form>
<input
class="ui-grid-importer-file-chooser"
type="file"
id="files"
name="files[]"/>
</form>
</li>

  1. The application generates HTTP request via a form post at dropdownEditor.html line 2.
    PoC:
<div>
  <form
    name="inputForm">
    <select
      ng-class="'colt' + col.uid"
      ui-grid-edit-dropdown
      ng-model="MODEL_COL_FIELD"
      ng-options="field[editDropdownIdLabel] as field[editDropdownValueLabel] CUSTOM_FILTERS for field in editDropdownOptionsArray">
    </select>
  </form>
</div>

The form post at dropdownEditor.html line 2 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location:

ui-grid/packages/edit/src/templates/dropdownEditor.html

Lines 1 to 11 in 4aa2cc5

<div>
<form
name="inputForm">
<select
ng-class="'colt' + col.uid"
ui-grid-edit-dropdown
ng-model="MODEL_COL_FIELD"
ng-options="field[editDropdownIdLabel] as field[editDropdownValueLabel] CUSTOM_FILTERS for field in editDropdownOptionsArray">
</select>
</form>
</div>

  1. The application generates HTTP request via a form post at cellEditor.html line 2.
    PoC:
<div>
  <form
    name="inputForm">
    <input
      type="INPUT_TYPE"
      ng-class="'colt' + col.uid"
      ui-grid-editor
      ng-model="MODEL_COL_FIELD" />
  </form>
</div>

The form post at cellEditor.html line 2 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location:

ui-grid/packages/edit/src/templates/cellEditor.html

Lines 1 to 10 in 4aa2cc5

<div>
<form
name="inputForm">
<input
type="INPUT_TYPE"
ng-class="'colt' + col.uid"
ui-grid-editor
ng-model="MODEL_COL_FIELD" />
</form>
</div>

Metadata

Metadata

Assignees

No one assigned

    Labels

    Hi-Pri Buggrid-editgrid-importerhelp wanted

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions