Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Issue: CSRF in DeleteFile function. [bug] #64

Closed
lethanhtrung222 opened this issue Apr 19, 2020 · 7 comments
Closed

Security Issue: CSRF in DeleteFile function. [bug] #64

lethanhtrung222 opened this issue Apr 19, 2020 · 7 comments

Comments

@lethanhtrung222
Copy link

In the source code, the DeleteFile function  is sent via unauthenticated GET method. (fp-plugins\mediamanager\tpls\admin.plugin.mediamanager.files.tpl
		<td>
			<a class="link-delete" href="{$mmbaseurl}&deletefile={$v.type}-{$v.name}">{$plang.delete}</a>
		</td>
The application does not have anti-csrf tokens, so it is vulnerable to Cross-site Request Forgery attacks. The vulnerability allows delete any file.
@lethanhtrung222 lethanhtrung222 changed the title Security Issue: CSRF in DeleteFile function. Security Issue: CSRF in DeleteFile function. [bug] Apr 19, 2020
@lethanhtrung222
Copy link
Author

Similar to the file deletion feature, the post deletion feature and the plugins off feature, I also discovered the CSRF bug.

I can delete any entry and disable any plugins.

@lethanhtrung222
Copy link
Author

Your endpoint:
/flat/admin.php?p=entry&action=delete&entry=
/flat/admin.php?p=plugin&action=default&disableantispam&_wpnonce=
/flat/admin.php?p=uploader&action=mediamanager&deletefile=
/flat/admin.php?p=uploader&action=mediamanager&deletefile=gallery-

@azett azett added the security label Apr 19, 2020
@azett
Copy link
Member

azett commented Apr 21, 2020

Confirmed, thank you very much for finding and reporting this!

I branched v1.1 to "issue64", so we can publish a bugfix release 1.1.1 as soon as the problem is solved.

azett added a commit that referenced this issue Oct 18, 2020
… reported by @lethanhtrung222. Thanks a lot!

Also, session is destroyed properly on logout.
And: Updated version number to "1.1.1".
@azett
Copy link
Member

azett commented Oct 18, 2020

Fixed with bb10fd7 in Branch issue64. Thank you very much for reporting!

@azett azett closed this as completed Oct 18, 2020
@lethanhtrung222
Copy link
Author

lethanhtrung222 commented Oct 19, 2020 via email

@azett
Copy link
Member

azett commented Dec 29, 2022

Not fixed correctly, needs to be reopened.

No need for new nonce functions, FP has them all (wp_create_nonce, wp_verify_nonce, check_admin_referer etc). They just have to be used :)
Current status:

@azett
Copy link
Member

azett commented Dec 30, 2022

Finally fixed, will be part of FlatPress 1.3. Yay \o/

@azett azett closed this as completed Dec 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants