Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF vulnerability in web-based Interface #18

Closed
pehelwan opened this issue Feb 21, 2018 · 2 comments
Closed

CSRF vulnerability in web-based Interface #18

pehelwan opened this issue Feb 21, 2018 · 2 comments
Assignees

Comments

@pehelwan
Copy link

pehelwan commented Feb 21, 2018

CSRF protection missing on sensitive authenticated actions.

@DanWin DanWin self-assigned this Nov 16, 2018
@NoahvdAa
Copy link
Contributor

NoahvdAa commented Jan 21, 2019

This issue is really important as any site can upload/delete/create files if a user is logged in.

If you visit my example attack page: https://file.webwevers.nl/c1123d5439d61c7a7821367bdf6da93f.html, and happen to be logged in on the file manager, it will create the file CSRFShouldBeFixed in /www/. This is just file creation, but a attacker could also delete files or entire directories with this attack. This issue can be fixed very easily however, by just creating a CSRF token on login / on page load, and then storing it in the session:

<?php
$token = sha1(uniqid());
$_SESSION['token'] = $token;
?>

Then, in your form use this:

<input type="hidden" name="token" value="<?= $_SESSION['token'] ?>">

When the form is submitted, just compare the two tokens.

if($_POST['token'] != $_SESSION['token']){
  echo 'Your message here';
  exit;
}else{
  echo 'Tokens matched, everything is fine.';
  exit;
}

@DanWin
Copy link
Owner

DanWin commented Jan 27, 2019

Fully fixed in 9c5294e

@DanWin DanWin closed this as completed Jan 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants