Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • S sucs-site
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 25
    • Issues 25
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 1
    • Merge requests 1
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • sucssite
  • sucs-site
  • Issues
  • #27

Closed
Open
Created Jan 13, 2016 by Chris Piper@hobbidDeveloper

CSRF Vulnerabilities in forms on SUCS site and arbitrary script/html injection

SUMMARY:

Post requests can be submitted automatically in javascript for some forms from any site and are automatically authenticated if the user was logged in at any point in the browser session and has not logged out (or been timed out).

Banana awards allow arbitrary html (including script tags onto the page).

PROOF OF WORK:

Tests were done on https://sucs.org/~elbows/sucssite/ . Users with banana privileges who had previously logged on to elbows sucs site (or had it open in another tab), who visited the url http://ninekaku.com/test [update: now offline, see comments] found a nearly empty page. In the background they had automatically awarded a user called "test" -3 bananas and given as the reason javascript url redirection back to the page http://ninekaku.com/test

SUGGESTED FIX:

Randomly generate a token when the page is loaded and make that part of the post request. If the wrong random string is submitted validation fails.

More details on prevention measures for this type of attack. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

Assignee
Assign to
Time tracking