Hackage-Server Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in hackage-server, which lacks proper CSRF protection across its endpoints. This absence of protection allows scripts from external sites to initiate requests to the hackage server, potentially exploiting existing credentials to upload packages or execute other administrative tasks. Additionally, some unauthenticated actions, such as creating new user accounts, could be misused.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of the user, such as uploading packages or managing user accounts.

Remediation

The vulnerability has been addressed by implementing a CSRF middleware that checks all requests, except those using certain approved non-browser user agents or token authentication. This fix has been deployed on hackage.haskell.org.