PwnDoc Cross-Site Request Forgery Vulnerability Allowing Unauthorized Actions

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PwnDoc, a penetration test report generator. The issue arises from the lack of CSRF protection, enabling attackers to send requests on behalf of logged-in users. This vulnerability affects both GET and POST requests, due to the absence of the SameSite attribute on cookies and the ability to refresh cookies. Exploitation can lead to unauthorized actions, such as creating admin accounts.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an attacker can perform actions on behalf of a logged-in user. This includes sending authenticated POST requests, potentially leading to unauthorized changes or actions within the application, such as creating admin accounts.

Reproduction

To reproduce this vulnerability, log into PwnDoc and open the '/api/users/refreshtoken' URL in a new window. This will refresh the 'refreshToken' cookie, which is then sent along with a POST request to the 'create user' endpoint. The absence of CSRF protection allows this request to be made without the user's consent. A full exploit script is available on GitHub Gist, which automates this process and can be used to create a backdoor admin account.

Remediation

Users can update to the latest version of PwnDoc, where this vulnerability has been patched.