Page MenuHomePhabricator

PollNY: Classic CSRF in Special:CreatePoll & Special:UpdatePoll + API module
Closed, ResolvedPublicSecurity

Description

A registered user who is either a poll admin or the author of a particular poll could be tricked into visiting a page which contains an iframe or somesuch pointing to Special:UpdatePoll with the id (poll ID), poll_answer_N (where N is between 1-10 to signify for the possible 10 available answer options) and poll_image_name URL params set and the poll with the given ID would be updated as requested since the special page lacks a CSRF token check and only checks if the request was POSTed.

Likewise, Special:CreatePoll is also vulnerable to similar attack as it also fails to check for a token. All you need to spoof someone into creating a poll is a POST request with the desired values.

Ironically enough Special:AdminPoll is totally safe because currently the administrative functions are not available in "pure" PHP but rather only via the API module + JS (see also T248390: Better NoJS support)...but sadly the API module is currently vulnerable to CSRF as per @Bawolff since it doesn't check the CSRF token for its write actions (delete, updateStatus, vote).

Related Objects

Event Timeline

ashley created this task.Mar 26 2020, 1:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 26 2020, 1:55 PM
ashley claimed this task.Mar 26 2020, 1:55 PM
ashley added a project: PollNY.
Restricted Application added a project: Social-Tools. · View Herald TranscriptMar 26 2020, 1:55 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.Mar 26 2020, 7:11 PM


Proposed patch, which also contains parts of T248390: Better NoJS support for PollNY because splitting them up would've been quite a pain.

Looks like you are adding an edit token to the forms, and then checking it when processing it, so this should fix the issue.

Alright, with the aforementioned patch being reviewed and merged, all that's left here is to close this task and make it public. Could someone do that, please?

Bawolff closed this task as Resolved.May 25 2020, 11:35 PM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".
Bawolff changed the edit policy from "Custom Policy" to "All Users".