Summary: Cross Site Request Forgery(CSRF) file upload in import feature leads to Remote Code Execution.
Description: When we import a tar file, there's a request made to /api/notes/root/import. Along with the file contents, there are settings like Safe Import. The issue is that there's no CSRF protections on this endpoint, which lets an attacker make request to this endpoint with the malicious tar file which has the following snippet of code
<script>top.require('child_process').exec('calc')</script>
and also explicitly set the safeImport to false to disable it. After successful import, if the user clicks on the imported note, code is executed.
Note: Since the application binds to a random port, we can bruteforce to know the port. The way I chose to do it was to include the ckeditor.js file from /libraries/ckeditor/ckeditor.js endpoint and upon successful script include we can be sure of which port the application's server is running on.
Reproduction Steps:
tar file is uploaded, you'll notice that there's no protections against CSRF attacks.Demo : Video Link
Fix: Implement Anti CSRF.
Thanks for bringing this to my attention, I will implement CSRF protection for 0.31.
Great!
Most helpful comment
Great!