Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Issue] Cross-Site Request Forgery (CSRF) #7169

Open
zidingz opened this issue Aug 19, 2021 · 2 comments
Open

[Security Issue] Cross-Site Request Forgery (CSRF) #7169

zidingz opened this issue Aug 19, 2021 · 2 comments

Comments

@zidingz
Copy link

zidingz commented Aug 19, 2021

Description

A cross-site request forgery (CSRF) vulnerability occurs when:
A Web application uses session cookies.
The application acts on an HTTP request without verifying that the request was made with the user's consent.

There are 5 cases of CSRF in ui-grid.

  1. The application generates HTTP request via a form post at fileChooserEditor.html line 2.
    PoC:
<div>
  <form
    name="inputForm">
    <input
      ng-class="'colt' + col.uid"
      ui-grid-edit-file-chooser
      type="file"
      id="files"
      name="files[]"
      ng-model="MODEL_COL_FIELD"/>
  </form>
</div>

The form post at fileChooserEditor.html line 2 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location:

<div>
<form
name="inputForm">
<input
ng-class="'colt' + col.uid"
ui-grid-edit-file-chooser
type="file"
id="files"
name="files[]"
ng-model="MODEL_COL_FIELD"/>
</form>
</div>

  1. The application generates HTTP request via a form post at index.html line 124 and at index.html line 149.
    PoC (L124):
<form>
            <div class="col-sm-12 col-md-6 col-lg-4" ng-repeat="v in variables track by $index">
              <label for="{{ v.name }}" class="muted">{{ v.name }}</label> <input id="{{ v.name }}" type="text" class="form-control" ng-model="v.value" ng-change="updateCSS()">
            </div>
          </form>

PoC (L149):

<form>
            <label for="customLess">Custom Less</label>
            <textarea class="form-control" id="customLess" rows="4" ng-model="customLess" ng-change="updateCSS()" ng-init="customLess = ''"></textarea>
          </form>

The form post at index.html line 124 and line 149 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location (124-128):

<form>
<div class="col-sm-12 col-md-6 col-lg-4" ng-repeat="v in variables track by $index">
<label for="{{ v.name }}" class="muted">{{ v.name }}</label> <input id="{{ v.name }}" type="text" class="form-control" ng-model="v.value" ng-change="updateCSS()">
</div>
</form>

Location (149-152):

<form>
<label for="customLess">Custom Less</label>
<textarea class="form-control" id="customLess" rows="4" ng-model="customLess" ng-change="updateCSS()" ng-init="customLess = ''"></textarea>
</form>

  1. The application generates HTTP request via a form post at importerMenuItem.html line 3.
    PoC:
<li
  class="ui-grid-menu-item">
  <form>
    <input
      class="ui-grid-importer-file-chooser"
      type="file"
      id="files"
      name="files[]"/>
  </form>
</li>

The form post at importerMenuItem.html line 3 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location:

<li
class="ui-grid-menu-item">
<form>
<input
class="ui-grid-importer-file-chooser"
type="file"
id="files"
name="files[]"/>
</form>
</li>

  1. The application generates HTTP request via a form post at dropdownEditor.html line 2.
    PoC:
<div>
  <form
    name="inputForm">
    <select
      ng-class="'colt' + col.uid"
      ui-grid-edit-dropdown
      ng-model="MODEL_COL_FIELD"
      ng-options="field[editDropdownIdLabel] as field[editDropdownValueLabel] CUSTOM_FILTERS for field in editDropdownOptionsArray">
    </select>
  </form>
</div>

The form post at dropdownEditor.html line 2 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location:

<div>
<form
name="inputForm">
<select
ng-class="'colt' + col.uid"
ui-grid-edit-dropdown
ng-model="MODEL_COL_FIELD"
ng-options="field[editDropdownIdLabel] as field[editDropdownValueLabel] CUSTOM_FILTERS for field in editDropdownOptionsArray">
</select>
</form>
</div>

  1. The application generates HTTP request via a form post at cellEditor.html line 2.
    PoC:
<div>
  <form
    name="inputForm">
    <input
      type="INPUT_TYPE"
      ng-class="'colt' + col.uid"
      ui-grid-editor
      ng-model="MODEL_COL_FIELD" />
  </form>
</div>

The form post at cellEditor.html line 2 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location:

<div>
<form
name="inputForm">
<input
type="INPUT_TYPE"
ng-class="'colt' + col.uid"
ui-grid-editor
ng-model="MODEL_COL_FIELD" />
</form>
</div>

@zidingz
Copy link
Author

zidingz commented Aug 19, 2021

If you'd like to communicate with the original discloser of this security issue, or ensure he is rewarded for his research, simply let me know which GitHub users you wish to be authorised to visit the report pages below, and I'll get it sorted for you.

Reports:
https://huntr.dev/bounties/4f9df0a7-6388-4fef-9476-d8aa9b956d58/
https://huntr.dev/bounties/5474bb43-2bf5-4c72-9abc-fccd4dd13e92/
https://huntr.dev/bounties/4fefa8f2-5743-4793-a595-90a822708e47/
https://huntr.dev/bounties/b8da7d50-c25b-408b-bc34-a4e69bd867fc/
https://huntr.dev/bounties/c0e0caba-0cd9-4fdf-a98e-886a93adf49c/

@1esvee1
Copy link

1esvee1 commented Aug 25, 2021

Hey Guys, I am the original discloser of these security issues. Please advise or give me an update on this. It would be great help and confidence booster for my work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants