FS#35437 : CSRF vulnerability

Issue tracker moved to https://gitlab.archlinux.org/archlinux/aurweb/-/issues

FS#35437 - CSRF vulnerability

Attached to Project: AUR web interface
Opened by Peter Wu (Lekensteyn) - Thursday, 23 May 2013, 09:53 GMT
Last edited by canyonknight (canyonknight) - Monday, 02 September 2013, 17:56 GMT

Task Type	Bug Report
Category	Backend
Status	Closed
Assigned To	canyonknight (canyonknight) Lukas Fleischer (lfleischer)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version	2.2.0
Due in Version	2.3.0
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Actions like 'flag', 'vote', 'unvote', 'notify' and 'unnotify' are prone to cross-site request forgery.

For example, visit a website containing:

<img src="https://aur.archlinux.org/packages/bbswitch-dkms/flag/">

This will trigger flagging a package. Any chance that these GET requests get turned into a POST one with protection as applied to the "Disown package" button?

This task depends upon

Closed by canyonknight (canyonknight)
Monday, 02 September 2013, 17:56 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 2.3.0

Comments (4)
Related Tasks (0/0)

Comment by canyonknight (canyonknight) - Thursday, 23 May 2013, 22:08 GMT

I patched CSRF vulnerabilities about a year ago [1]. When the AUR transitioned to using pretty URLs and got rid of the actions bar on package pages the CSRF vulnerabilities worked their way back in. That's when merging and deletion were moved to individual pages to eliminate any higher impact vectors [2],[3].

I agree that we should really fix them once and for all. The only thing is from a design point of view I don't really like the thought of a bunch of POST buttons in the package actions box...

[1] https://projects.archlinux.org/aur.git/commit/?id=2c93f0a98f0f6380fd07ea17fd16afa2c6e4925b
[2] https://projects.archlinux.org/aur.git/commit/?id=00cffd7ddba6bd7b65fcd4c1ce625515cf5489d0
[3] https://projects.archlinux.org/aur.git/commit/?id=752c5a6e3483b2309e4b48943adce2625a9bc716

Comment by Peter Wu (Lekensteyn) - Friday, 24 May 2013, 08:28 GMT

With HTML5, one form suffices:

<form method="post" action="..." id="postform">
<input type="hidden" name="crsftoken" value="...">
</form>

<button form="postform" name="action" value="do_stuff">Do Stuff</button>

See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/button. For older browsers, you can add a polyfill.

Comment by Daniel Micay (thestinger) - Friday, 24 May 2013, 08:40 GMT

The buttons could be styled as links with just CSS, right?

Either way I think it's important to switch to POSTs with a form token (already there).

Comment by Lukas Fleischer (lfleischer) - Tuesday, 27 August 2013, 00:29 GMT

Patches [1, 2] submitted to aur-dev.

[1] https://mailman.archlinux.org/pipermail/aur-dev/2013-August/002547.html
[2] https://mailman.archlinux.org/pipermail/aur-dev/2013-August/002548.html

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

AUR web interface

FS#35437 - CSRF vulnerability

Details

Loading...