- Status Closed
-
Assigned To
cbay - Private
Opened by monty099 - 04.07.2025
Last edited by cbay - 04.07.2025
FS#189 - Title: CSRF token leakage via URL parameters in admin.alwaysdata.com
Summary:
When using the email outbound logs filters in the Alwaysdata admin panel, the CSRF token (csrfmiddlewaretoken) is included as a GET parameter in the URL. This token is supposed to be secret and strictly bound to the user session and to a specific request context. More critically, this token is reusable and can be used with different requests and endpoints, which allows an attacker who obtains it to perform multiple state-changing actions on behalf of the victim without requiring any further user interaction.
Steps to Reproduce:
1. Log in to your Alwaysdata admin panel.
2. Navigate to Emails → Outbound Logs.
3. Apply any filter (e.g., by date or keyword).
4. Observe that the URL now contains a parameter such as: csrfmiddlewaretoken=XXXXXXXXXXXX
5. Copy this URL. You will notice that the token remains valid and can be reused for different requests.
Impact:
Information Disclosure: The CSRF token is exposed in browser history, logs, and potentially leaked via the Referer header when the victim visits external websites afterward.
CSRF Exploitation: Since the token is reusable, an attacker can use it to craft malicious requests (delete, modify, send, etc.) and execute them on behalf of the victim, leading to potential account takeover or severe unwanted actions.
Recommendation:
Completely remove the CSRF token from URL parameters. Pass the CSRF token only as a hidden form field or in a custom HTTP header (e.g., X-CSRFToken). Mark tokens as single-use and ensure they expire after each action.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
Thanks, it's now fixed. We'll get back to you by ticket regarding your bounty.
Kind regards,
Cyril