CSRF protection incorrectly disabled

Vulnerability

In the Open Build Service (OBS) web interface before version 2.4.6, the CSRF (Cross-Site Request Forgery) protection mechanism was incorrectly disabled. The controller Webui::WebuiController lacked a call to protect_from_forgery, leaving all state-changing endpoints vulnerable to forged requests. This was addressed in commit 2188c059b67b82171d0e28ef59f77e62d22a09d8 [1].

Exploitation

An attacker can send a crafted request to an OBS web endpoint (e.g., via a malicious link or a cross-origin HTML form) while the victim is authenticated. Because CSRF tokens are not validated, the request is processed as if coming from the victim. No special network position is required; the attack can be performed remotely by tricking the user into interacting with attacker-controlled content.

Impact

Successful exploitation allows an attacker to perform actions on the OBS instance with the victim's privileges—this may include altering projects, submitting packages, or modifying configurations. Depending on the victim's role, this could lead to unauthorized data modification or project compromise. Confidentiality and integrity are primarily affected.

Mitigation

The fix was released in OBS version 2.4.6. Users should upgrade to this version or later. The commit 2188c059b67b82171d0e28ef59f77e62d22a09d8 reintroduces CSRF protection via protect_from_forgery and handles unverified requests by resetting the session or raising an exception [1]. No workaround is documented for earlier versions.