Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-4162: Cross-Site Request Forgery (CSRF) in archivy

archivy is vulnerable to Cross-Site Request Forgery (CSRF)

CVE
#csrf#vulnerability

Title

Missing CSRF token validation leads to note deletion.

Summary

Route /dataobj/delete/<int:dataobj_id> is responsible for note deletion. Instead of POST it accepts GET and DELETE methods.

@app.route("/dataobj/delete/<int:dataobj_id>", methods=["DELETE", "GET"])
def delete_data(dataobj_id):
    try:
        data.delete_item(dataobj_id)
    except BaseException:
        flash("Data could not be found!", "error")
        return redirect("/")
    flash("Data deleted!", "success")
    return redirect("/")

While they both contain CSRF tokens, in fact the token is not verified, so it is possible to exclude it from query which leads to CSRF.

Steps to reproduce

  1. 1. Create any note, get it’s ID.
  2. 2. Run page from PoC.html with concrete ID in your browser, click the button.
  3. 3. Observe that the note with specified ID was deleted.

Proof of Concept

// PoC.html
<form action="http://127.0.0.1:5000/dataobj/delete/{yourNoteID}" method="GET">
<input type="submit" value="Click me"/>
</form>

Possible remediation

Use POST method instead and verify CSRF token.

Impact

This vulnerability is capable of deleting user’s notes.

Occurences

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907