Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Found CSRF vulnerability #177

Closed
gsfish opened this issue Sep 11, 2018 · 1 comment
Closed

Found CSRF vulnerability #177

gsfish opened this issue Sep 11, 2018 · 1 comment
Labels

Comments

@gsfish
Copy link
Contributor

gsfish commented Sep 11, 2018

The AntiCSRF measures have some defects and attacker can bypass it with Flash, by adding X-Forwarded-Host header.

After the administrator logged in, open the following page: malicious payload could be injected into the configuration #176 :

<object type="application/x-shockwave-flash" data="PoC.swf?h=<target_url>"
width="400" height="400">
</object>

The reason for the vulnerability is in views/lib/AntiCSRF.py line 12, the request.host can be overwrite by X-Forwarded-Host, which is the default behavior of werkzeug wsgi.

@neargle
Copy link
Member

neargle commented Sep 11, 2018

Nice catch! @gsfish will fix it!

@neargle neargle reopened this Sep 13, 2018
@neargle neargle closed this as completed Sep 13, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants