Account Takeover In gogs.io/gogs
Description
Gogs Vulnerable to CSRF Leading to Organization Owner Takeover
Summary
In Gogs 0.14.1, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the attacker gains organization owner–equivalent privileges.
Description
When a victim is logged in as an organization owner, team member management endpoints are exposed via routes reachable by GET requests, allowing state-changing operations without a CSRF token.
Team action route allows GET
internal/cmd/web.go:390
m.Route("/teams/:team/action/:action", "GET,POST", org.TeamsAction)
CSRF validation is applied only to POST requests
Because the global CSRF check is limited to POST requests, state-changing operations reached via GET bypass CSRF protection entirely.
internal/context/auth.go:56-61
if !options.SignOutRequired && !options.DisableCSRF && c.Req.Method == "POST" && !isAPIPath(c.Req.URL.Path) { csrf.Validate(c.Context, c.csrf) if c.Written() { return } }
TeamsAction performs state changes regardless of HTTP method
TeamsAction does not branch on the HTTP method. Instead, it performs state-changing operations (such as adding or removing members) based solely on query parameters (uid, uname) and the :action path parameter.
Since the route explicitly allows GET, the add action can be executed via GET.
internal/route/org/teams.go:38-83
func TeamsAction(c *context.Context) { uid := com.StrTo(c.Query("uid")).MustInt64() if uid == 0 { c.Redirect(c.Org.OrgLink + "/teams") return } page := c.Query("page")...
Adding a user to the Owners team grants organization owner privileges
When a user joins the Owners team, OrgUser.IsOwner is set to true. Therefore, adding a user to the Owners team directly results in granting organization owner–equivalent privileges.
internal/database/org_team.go:566-576
ou := new(OrgUser) if _, err = sess.Where("uid = ?", userID). And("org_id = ?", orgID).Get(ou); err != nil { return err } ou.NumTeams++ if t.IsOwnerTeam() { ou.IsOwner = true...
Related issue: organization member actions are also state-changing via GET
For reference, organization member management endpoints are also exposed as GET routes that perform state changes without CSRF protection.
internal/cmd/web.go:382
m.Get("/members/action/:action", org.MembersAction)
MembersAction similarly does not branch on HTTP method and performs state-changing operations (public/private toggle, remove, leave) based on query parameters and the :action path parameter.
internal/route/org/members.go:31-71
func MembersAction(c *context.Context) { uid := com.StrTo(c.Query("uid")).MustInt64() if uid == 0 { c.Redirect(c.Org.OrgLink + "/members") return } org := c.Org.Organization...
Steps to Reproduce
Prepare a target user account to be added (e.g., attacker).
Confirm that the victim user is an owner of the target organization (e.g., org3) and is logged in.
Cause the victim’s browser to perform a top-level navigation to the following URL:
http://localhost:10880/org/org3/teams/owners/action/add?uid=1&uname=attacker
After the request completes, verify that the attacker user can access:
http://localhost:10880/org/org3/settings
confirming that organization owner privileges have been obtained.
Impact
Successful exploitation allows an attacker to obtain organization owner privileges, resulting in:
Full control over organization repositories, settings, and members
Unauthorized access to private repositories (confidentiality impact)
Modification or deletion of repositories and settings (integrity impact)
Repository deletion or disruption leading to service unavailability (availability impact)
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | 0.14.3 |
Aliases
References