Summary
The endpoint
/admin/projects/{projectname}/skills/{skillname}/video ( and probably others ) is open to a CSRF vulnerability that allows an attacker to modify the video shown in the skill as well as the Captions and text.
Details
The endpoint is
|
SkillVideoAttrs saveSkillVideoAttrs(@PathVariable("projectId") String projectId, |
Due to it being CSRFable e.g POST request, supports a content type that can be exploited ( multipart file upload ), makes a state change and has no CSRF mitigations in place ( samesite flag, CSRF token ). It is possible to perform a CSRF attack against a logged in admin account, leading to unauthorised change of the skill video.
PoC
Using the attacked docker compose.
docker-compose up ( I cannot attach files ) . But its skills service running on port 8080. I can send it to you another way if you prefer.
Create a admin account, login and create a project named "testproject1" a subject called "testSubject" and a skill called "testSkill"
While logged in ( in firefox not chrome )
go to https://joebeeton.github.io/csrf.html
This will trigger the vulnerability. Once done, look at the video configuration for testSkill and you will see it has been changed.
Impact
This allows an attacker that can target a logged in admin of Skills Service to modify the videos, captions and text of the skill.
JoeBeeton Reporter
Summary
The endpoint
/admin/projects/{projectname}/skills/{skillname}/video( and probably others ) is open to a CSRF vulnerability that allows an attacker to modify the video shown in the skill as well as the Captions and text.Details
The endpoint is
skills-service/service/src/main/java/skills/controller/AdminController.groovy
Line 574 in 24dd22f
PoC
Using the attacked docker compose.
docker-compose up( I cannot attach files ) . But its skills service running on port 8080. I can send it to you another way if you prefer.Create a admin account, login and create a project named "testproject1" a subject called "testSubject" and a skill called "testSkill"
While logged in ( in firefox not chrome )
go to https://joebeeton.github.io/csrf.html
This will trigger the vulnerability. Once done, look at the video configuration for testSkill and you will see it has been changed.
Impact
This allows an attacker that can target a logged in admin of Skills Service to modify the videos, captions and text of the skill.