[Security Issue] Cross-Site Request Forgery (CSRF)

[zidingz]

Description

A cross-site request forgery (CSRF) vulnerability occurs when:
A Web application uses session cookies.
The application acts on an HTTP request without verifying that the request was made with the user's consent.

There are 5 cases of CSRF in ui-grid.

1. The application generates HTTP request via a form post at fileChooserEditor.html line 2.
   PoC:

<div>
  <form
    name="inputForm">
    <input
      ng-class="'colt' + col.uid"
      ui-grid-edit-file-chooser
      type="file"
      id="files"
      name="files[]"
      ng-model="MODEL_COL_FIELD"/>
  </form>
</div>

The form post at fileChooserEditor.html line 2 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location:

ui-grid/packages/edit/src/templates/fileChooserEditor.html

Lines 1 to 12 in 4aa2cc5

	<div>
	<form
	name="inputForm">
	<input
	ng-class="'colt' + col.uid"
	ui-grid-edit-file-chooser
	type="file"
	id="files"
	name="files[]"
	ng-model="MODEL_COL_FIELD"/>
	</form>
	</div>

2. The application generates HTTP request via a form post at index.html line 124 and at index.html line 149.
   PoC (L124):

<form>
            <div class="col-sm-12 col-md-6 col-lg-4" ng-repeat="v in variables track by $index">
              <label for="{{ v.name }}" class="muted">{{ v.name }}</label> <input id="{{ v.name }}" type="text" class="form-control" ng-model="v.value" ng-change="updateCSS()">
            </div>
          </form>

PoC (L149):

<form>
            <label for="customLess">Custom Less</label>
            <textarea class="form-control" id="customLess" rows="4" ng-model="customLess" ng-change="updateCSS()" ng-init="customLess = ''"></textarea>
          </form>

The form post at index.html line 124 and line 149 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location (124-128):

ui-grid/misc/site/customizer/index.html

Lines 124 to 128 in 4aa2cc5

	<form>
	<div class="col-sm-12 col-md-6 col-lg-4" ng-repeat="v in variables track by $index">
	<label for="{{ v.name }}" class="muted">{{ v.name }}</label> <input id="{{ v.name }}" type="text" class="form-control" ng-model="v.value" ng-change="updateCSS()">
	</div>
	</form>

Location (149-152):

ui-grid/misc/site/customizer/index.html

Lines 149 to 152 in 4aa2cc5

	<form>
	<label for="customLess">Custom Less</label>
	<textarea class="form-control" id="customLess" rows="4" ng-model="customLess" ng-change="updateCSS()" ng-init="customLess = ''"></textarea>
	</form>

3. The application generates HTTP request via a form post at importerMenuItem.html line 3.
   PoC:

<li
  class="ui-grid-menu-item">
  <form>
    <input
      class="ui-grid-importer-file-chooser"
      type="file"
      id="files"
      name="files[]"/>
  </form>
</li>

The form post at importerMenuItem.html line 3 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location:

ui-grid/packages/importer/src/templates/importerMenuItem.html

Lines 1 to 10 in 4aa2cc5

	<li
	class="ui-grid-menu-item">
	<form>
	<input
	class="ui-grid-importer-file-chooser"
	type="file"
	id="files"
	name="files[]"/>
	</form>
	</li>

4. The application generates HTTP request via a form post at dropdownEditor.html line 2.
   PoC:

<div>
  <form
    name="inputForm">
    <select
      ng-class="'colt' + col.uid"
      ui-grid-edit-dropdown
      ng-model="MODEL_COL_FIELD"
      ng-options="field[editDropdownIdLabel] as field[editDropdownValueLabel] CUSTOM_FILTERS for field in editDropdownOptionsArray">
    </select>
  </form>
</div>

The form post at dropdownEditor.html line 2 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location:

ui-grid/packages/edit/src/templates/dropdownEditor.html

Lines 1 to 11 in 4aa2cc5

	<div>
	<form
	name="inputForm">
	<select
	ng-class="'colt' + col.uid"
	ui-grid-edit-dropdown
	ng-model="MODEL_COL_FIELD"
	ng-options="field[editDropdownIdLabel] as field[editDropdownValueLabel] CUSTOM_FILTERS for field in editDropdownOptionsArray">
	</select>
	</form>
	</div>

5. The application generates HTTP request via a form post at cellEditor.html line 2.
   PoC:

<div>
  <form
    name="inputForm">
    <input
      type="INPUT_TYPE"
      ng-class="'colt' + col.uid"
      ui-grid-editor
      ng-model="MODEL_COL_FIELD" />
  </form>
</div>

The form post at cellEditor.html line 2 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location:

ui-grid/packages/edit/src/templates/cellEditor.html

Lines 1 to 10 in 4aa2cc5

	<div>
	<form
	name="inputForm">
	<input
	type="INPUT_TYPE"
	ng-class="'colt' + col.uid"
	ui-grid-editor
	ng-model="MODEL_COL_FIELD" />
	</form>
	</div>

[zidingz]

If you'd like to communicate with the original discloser of this security issue, or ensure he is rewarded for his research, simply let me know which GitHub users you wish to be authorised to visit the report pages below, and I'll get it sorted for you.

Reports:
https://huntr.dev/bounties/4f9df0a7-6388-4fef-9476-d8aa9b956d58/
https://huntr.dev/bounties/5474bb43-2bf5-4c72-9abc-fccd4dd13e92/
https://huntr.dev/bounties/4fefa8f2-5743-4793-a595-90a822708e47/
https://huntr.dev/bounties/b8da7d50-c25b-408b-bc34-a4e69bd867fc/
https://huntr.dev/bounties/c0e0caba-0cd9-4fdf-a98e-886a93adf49c/

[1esvee1]

Hey Guys, I am the original discloser of these security issues. Please advise or give me an update on this. It would be great help and confidence booster for my work.