Skip to content

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
    • Help
    • Support
    • Submit feedback
  • Sign in
S
sucs-site
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 25
    • Issues 25
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 1
    • Merge Requests 1
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Security & Compliance
    • Security & Compliance
    • Dependency List
    • License Compliance
  • Analytics
    • Analytics
    • CI / CD
    • Code Review
    • Insights
    • Issues
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • sucssite
  • sucs-site
  • Issues
  • #27

Closed
Open
Opened Jan 13, 2016 by Chris Piper@hobbid
  • Report abuse
  • New issue
Report abuse New issue

CSRF Vulnerabilities in forms on SUCS site and arbitrary script/html injection

SUMMARY:

Post requests can be submitted automatically in javascript for some forms from any site and are automatically authenticated if the user was logged in at any point in the browser session and has not logged out (or been timed out).

Banana awards allow arbitrary html (including script tags onto the page).

PROOF OF WORK:

Tests were done on https://sucs.org/~elbows/sucssite/ . Users with banana privileges who had previously logged on to elbows sucs site (or had it open in another tab), who visited the url http://ninekaku.com/test [update: now offline, see comments] found a nearly empty page. In the background they had automatically awarded a user called "test" -3 bananas and given as the reason javascript url redirection back to the page http://ninekaku.com/test

SUGGESTED FIX:

Randomly generate a token when the page is loaded and make that part of the post request. If the wrong random string is submitted validation fails.

More details on prevention measures for this type of attack. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

Linked issues

  • Discussion
  • Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.

Assignee
Assign to
Fix #27
Milestone
Fix #27
Assign milestone
Time tracking
None
Due date
None
3
Labels
bug confirmed critical
Assign labels
  • View project labels
Reference: sucssite/sucs-site#27