CSRF import leads to Remote Code Execution

[PwnFunction]

Summary: Cross Site Request Forgery(CSRF) file upload in import feature leads to Remote Code Execution.

Description: When we import a tar file, there's a request made to /api/notes/root/import. Along with the file contents, there are settings like Safe Import. The issue is that there's no CSRF protections on this endpoint, which lets an attacker make request to this endpoint with the malicious tar file which has the following snippet of code

<script>top.require('child_process').exec('calc')</script>

and also explicitly set the safeImport to false to disable it. After successful import, if the user clicks on the imported note, code is executed.

Note: Since the application binds to a random port, we can bruteforce to know the port. The way I chose to do it was to include the ckeditor.js file from /libraries/ckeditor/ckeditor.js endpoint and upon successful script include we can be sure of which port the application's server is running on.

Reproduction Steps:

1. I wouldn't want a proof of concept lying on the web for people to just try it, so I'd just walk you through the steps.
2. Firstly, see the import request in which the tar file is uploaded, you'll notice that there's no protections against CSRF attacks.
3. Like I've already mentioned, we can bruteforce the port number and then we can upload the malicious file (see Arbitrary Code Execution #398 ). You'll see it successfully imported and when you click on the imported note, calc.exe pops up.

Demo : Video Link

Fix: Implement Anti CSRF.

[zadam]

Thanks for bringing this to my attention, I will implement CSRF protection for 0.31.

[PwnFunction]

Great!