search

angular-ui / ui-grid

UI Grid: an Angular Data Grid
http://ui-grid.info
MIT License
5.39k stars 2.47k forks source link

[Security Issue] Cross-Site Request Forgery (CSRF) #7169

Open zidingz opened 3 years ago

zidingz commented 3 years ago

Description

A cross-site request forgery (CSRF) vulnerability occurs when: A Web application uses session cookies. The application acts on an HTTP request without verifying that the request was made with the user's consent.

There are 5 cases of CSRF in ui-grid.

  1. The application generates HTTP request via a form post at fileChooserEditor.html line 2. PoC: 
    <div>
<form
name="inputForm">
<input
  ng-class="'colt' + col.uid"
  ui-grid-edit-file-chooser
  type="file"
  id="files"
  name="files[]"
  ng-model="MODEL_COL_FIELD"/>
</form>
</div>

The form post at fileChooserEditor.html line 2 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location: https://github.com/angular-ui/ui-grid/blob/4aa2cc59a6bc683552a1e328f639a0aa0a0c7527/packages/edit/src/templates/fileChooserEditor.html#L1-L12

  1. The application generates HTTP request via a form post at index.html line 124 and at index.html line 149. PoC (L124): 
    <form>
        <div class="col-sm-12 col-md-6 col-lg-4" ng-repeat="v in variables track by $index">
          <label for="{{ v.name }}" class="muted">{{ v.name }}</label> <input id="{{ v.name }}" type="text" class="form-control" ng-model="v.value" ng-change="updateCSS()">
        </div>
      </form>

    PoC (L149):

    <form>
        <label for="customLess">Custom Less</label>
        <textarea class="form-control" id="customLess" rows="4" ng-model="customLess" ng-change="updateCSS()" ng-init="customLess = ''"></textarea>
      </form>

The form post at index.html line 124 and line 149 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location (124-128): https://github.com/angular-ui/ui-grid/blob/4aa2cc59a6bc683552a1e328f639a0aa0a0c7527/misc/site/customizer/index.html#L124-L128

Location (149-152): https://github.com/angular-ui/ui-grid/blob/4aa2cc59a6bc683552a1e328f639a0aa0a0c7527/misc/site/customizer/index.html#L149-L152

  1. The application generates HTTP request via a form post at importerMenuItem.html line 3. PoC: 
    <li
class="ui-grid-menu-item">
<form>
<input
  class="ui-grid-importer-file-chooser"
  type="file"
  id="files"
  name="files[]"/>
</form>
</li>

The form post at importerMenuItem.html line 3 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location: https://github.com/angular-ui/ui-grid/blob/4aa2cc59a6bc683552a1e328f639a0aa0a0c7527/packages/importer/src/templates/importerMenuItem.html#L1-L10

  1. The application generates HTTP request via a form post at dropdownEditor.html line 2. PoC: 
    <div>
<form
name="inputForm">
<select
  ng-class="'colt' + col.uid"
  ui-grid-edit-dropdown
  ng-model="MODEL_COL_FIELD"
  ng-options="field[editDropdownIdLabel] as field[editDropdownValueLabel] CUSTOM_FILTERS for field in editDropdownOptionsArray">
</select>
</form>
</div>

The form post at dropdownEditor.html line 2 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location: https://github.com/angular-ui/ui-grid/blob/4aa2cc59a6bc683552a1e328f639a0aa0a0c7527/packages/edit/src/templates/dropdownEditor.html#L1-L11

  1. The application generates HTTP request via a form post at cellEditor.html line 2. PoC: 
    <div>
<form
name="inputForm">
<input
  type="INPUT_TYPE"
  ng-class="'colt' + col.uid"
  ui-grid-editor
  ng-model="MODEL_COL_FIELD" />
</form>
</div>

The form post at cellEditor.html line 2 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location: https://github.com/angular-ui/ui-grid/blob/4aa2cc59a6bc683552a1e328f639a0aa0a0c7527/packages/edit/src/templates/cellEditor.html#L1-L10

zidingz commented 3 years ago

If you'd like to communicate with the original discloser of this security issue, or ensure he is rewarded for his research, simply let me know which GitHub users you wish to be authorised to visit the report pages below, and I'll get it sorted for you.

Reports: https://huntr.dev/bounties/4f9df0a7-6388-4fef-9476-d8aa9b956d58/ https://huntr.dev/bounties/5474bb43-2bf5-4c72-9abc-fccd4dd13e92/ https://huntr.dev/bounties/4fefa8f2-5743-4793-a595-90a822708e47/ https://huntr.dev/bounties/b8da7d50-c25b-408b-bc34-a4e69bd867fc/ https://huntr.dev/bounties/c0e0caba-0cd9-4fdf-a98e-886a93adf49c/

1esvee1 commented 3 years ago

Hey Guys, I am the original discloser of these security issues. Please advise or give me an update on this. It would be great help and confidence booster for my work.