search

OpenDataRepository / data-publisher

The Open Data Repository's Data Publisher software is a tool for the scientific community to publish and collaborate simply and easily.
Other
15 stars 3 forks source link

Potential CSRF GET request vulnerability. #62

Closed sam1360 closed 5 years ago

sam1360 commented 9 years ago

Tested against a local version of the server. Found using the w3af auditing tool.

Request: GET http://odr.localhost/chemin?datatype_id=43&search_type=basic&search_type=basic&general_string=&406=&407=&410=0&413=&414=151&415=199&527=&427=&439=&445= HTTP/1.1 Host: odr.localhost Cookie: PHPSESSID=q42jalmclu90f5iss69jv3nl01; prev_searcheddatatype=chemin Accept-encoding: gzip, deflate Accept: /_ User-agent: w3af.org

Response: HTTP/1.1 200 OK content-encoding: gzip transfer-encoding: chunked set-cookie: prev_searched_datatype=chemin; path=/; httponly x-powered-by: PHP/5.3.10-1ubuntu3.18 vary: Accept-Encoding keep-alive: timeout=5, max=81 server: Apache/2.2.22 (Ubuntu) connection: Keep-Alive cache-control: private date: Mon, 08 Jun 2015 13:30:23 GMT content-type: text/html; charset=UTF-8

<!doctype html>

``` CheMin-MSL ```
Loading...
```
Open Advanced Search
```
```
  • Open Data Repository
  • About
  •    
  • © 2014  
 

</html>

Request 2:
GET http://odr.localhost/app_dev.php/chemin?datatype_id=43&search_type=basic&search_type=basic&general_string=&406=&407=&410=0&413=&414=151&415=199&527=&427=&439=&445= HTTP/1.1
Accept-encoding: gzip, deflate
Accept: _/_
User-agent: w3af.org
Host: odr.localhost
Referer: http://odr.localhost/
Cookie: PHPSESSID=g815bgp0c97bvh28dlg2meih47; prev_searched_datatype=chemin

Response 2:
HTTP/1.1 200 OK
content-encoding: gzip
transfer-encoding: chunked
set-cookie: prev_searched_datatype=chemin; path=/; httponly
x-debug-token: 4fa497
vary: Accept-Encoding
keep-alive: timeout=5, max=49
server: Apache/2.2.22 (Ubuntu)
connection: Keep-Alive
cache-control: no-cache
date: Mon, 08 Jun 2015 13:30:39 GMT
x-powered-by: PHP/5.3.10-1ubuntu3.18
content-type: text/html; charset=UTF-8

<!doctype html>

<!-- paulirish.com/2008/conditional-stylesheets-vs-css-hacks-answer-neither/ -->

<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="en"> <![endif]-->

<!--[if IE 7]>    <html class="no-js lt-ie9 lt-ie8" lang="en"> <![endif]-->

<!--[if IE 8]>    <html class="no-js lt-ie9" lang="en"> <![endif]-->

<!-- Consider adding a manifest.appcache: h5bp.com/d/Offline -->

<!--[if gt IE 8]><!--> <html class="no-js" lang="en"> <!--<![endif]-->
<head>
    <meta charset="utf-8">
CheMin-MSL 
<link rel="icon" type="image/x-icon" href="/favicon.ico" />
<link rel="stylesheet" href="http://yui.yahooapis.com/pure/0.5.0/grids-responsive-min.css">
<!-- Grab Google CDN's jQuery, with a protocol relative URL; fall back to local if offline -->
<!-- Do the same with jQuery UI -->

</head>

<body class="pure-skin-odr">
    <!-- The loading box -->
    <div id="loading-overlay"></div>
    <div id="loading">
        <span>Loading...</span>
    </div>
    <!-- End of loading box -->
Open Advanced Search
```
```
  • Open Data Repository
  • About
  •    
  • © 2014  
```
mebjas commented 9 years ago

has any method been implemented to mitigate CSRF yet? elsehttps://www.owasp.org/index.php/CSRFProtector_Project would be a good idea to quickly solve the issue.

natestone commented 9 years ago

Thanks for the info. That's a nice looking project.

The software we are creating is built on Symfony 2.3.x which includes CSRF tokens for CSRF protection. Assuming we have implemented their forms system correctly, we should be protected. We are currently running W3AF to ensure we haven't missed any implementation steps, etc.

That said, I really like the method of the CSRFProtector project and we will discuss implementation of that method vs. the current system.

In order to close this security report, we do need to implement the Symfony form for the search request so that CSRF-protection is enforced.

Thank you for your input.