Cross-Site Request Forgery (CSRF) in bigprof-software/online-invoicing-system
Jun 27th 2021
app/admin/pageDeleteGroup.php?groupID=<x> does not have a CSRF protection. This could be used by attackers to trick the admin to delete a group from their invoice system.
🕵️♂️ Proof of Concept
For this attack to work, a logged in admin, should visit the POC page.
<html> <body> <a href="http://<host>/online-invoicing-system-4.8/app/admin/pageDeleteGroup.php?groupID=<group_id>">Click Here !</a> </body> </html>
When a logged in user clicks the link a group is entirely deleted.
This vulnerability is capable of deleting groups from the platform.
Introduce a CSRF token in the request.