Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF Vulnerability #330

Closed
ankane opened this issue Aug 4, 2020 · 0 comments
Closed

CSRF Vulnerability #330

ankane opened this issue Aug 4, 2020 · 0 comments

Comments

@ankane
Copy link
Owner

ankane commented Aug 4, 2020

PgHero is vulnerable to cross-site request forgery (CSRF). This vulnerability has been assigned the CVE identifier CVE-2020-16253.

Versions Affected: 2.6.0 and below
Fixed Versions: 2.7.0

Impact

The PgHero dashboard is vulnerable to cross-site request forgery (CSRF). This affects the Docker image, Linux packages, and in specific cases, the Ruby gem. The Ruby gem is vulnerable with non-session based authentication methods like basic authentication - session-based authentication methods (like Devise's default authentication) are not affected.

A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, actions include:

  1. Canceling running queries
  2. Running EXPLAIN on queries (without seeing the results, but can be used for denial of service and other attacks)
  3. Resetting query stats (running pg_stat_statements_reset())

All users running an affected release should upgrade immediately.

Credits

Thanks to Heiko Webers of https://bauland42.com for reporting this.

Technical Details

PgHero uses the protect_from_forgery method from Rails to prevent CSRF. However, this defaults to :null_session, which has no effect on non-session based authentication methods. This has been changed to protect_from_forgery with: :exception.

@ankane ankane closed this as completed Aug 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant