AllskyTeam AllSky Cross-Site Request Forgery Vulnerability Leading to Denial-of-Service

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in AllskyTeam AllSky version 2024.12.06_06. This vulnerability allows remote attackers to cause a denial-of-service by sending a forged POST request that the server accepts without proper validation. The issue arises because the affected user interface forms do not include a CSRF token, and the backend request handler fails to validate such tokens, allowing cross-origin POST requests to be processed as commands. Exploiting this vulnerability can disrupt network connectivity by shutting down all active Ethernet or wireless interfaces, making the server unreachable over the network.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, causing the server to become unreachable over the network by shutting down all active Ethernet or wireless interfaces.

Reproduction

To reproduce this vulnerability, an authenticated administrator's browser can be tricked into submitting a forged POST request to the Allsky UI. This can be done by creating a malicious website that automatically sends a POST request with the 'turn_down' parameter, targeting the LAN or WLAN dashboard. When the victim clicks on the website, the request is sent without their knowledge, and all active interfaces are disabled, causing a loss of network connectivity.

Remediation

Users are advised to update to a version of Allsky that includes CSRF token validation in the dashboard forms and ensures that the backend request handlers validate CSRF tokens before processing commands.