Security Fix for Cross Site Request Forgery (CSRF) - huntr.dev #57
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
@doshmajhan (https://huntr.dev/users/doshmajhan) has fixed a potential Cross Site Request Forgery (CSRF) vulnerability in your repository 馃敤. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...
Q | A
Version Affected | *
Bug Fix | YES
Original Pull Request | 418sec#1
If you are happy with this disclosure, we would love to get a CVE assigned to the vulnerability. Feel free to credit @doshmajhan, the discloser found in the bounty URL (below) and @huntr-helper.
User Comments:
馃搳 Metadata *
Bounty URL: https://huntr.dev/bounties/1-other-simple-http-server
鈿欙笍 Description *
The 'upload' feature in simple-http-server is vulnerable to cross-site request forgery, it doesn't authenticate the user and just uploads the files which are given to it. If the upload feature is enabled, it can allow attackers to craft web pages and if victims interact with attackers' web pages then a cross-site request can be sent to the website by simple-http-server and a file can be uploaded on behalf of the victim.
The change here generates a CSRF token when the
--upload
flag is passed and displays it to the user as well as embedding it in the HTML page for the directory listing. If thecsrf
parameter is not passed or does not match the generated one when uploading a file, the request will be rejected with a 400.馃悰 Proof of Concept (PoC) *
Start a web server with --upload as an argument that enables uploading functionality.
Save the following PoC.html and open it in a browser.
Click on "Submit Request".
Observe that a file was uploaded, you can check the webroot and see the newly uploaded file.
In this process, authentication wasn't required and with minimal user interaction, a file can be uploaded on behalf of the victim.
馃敟 Proof of Fix (PoF) *
In the attached screenshot you'll see that the request generated by clicking
Submit Request
in thePoC.html
failed with a 400 due to not providing a CSRF token.