Cross-Site Request Forgery (CSRF) in pheditor/pheditor

Valid

Reported on

Dec 26th 2021


Description

Hi there, there is a minor CSRF problem in your logout function, this will force the user to logout without their consent.

Proof of Concept

  1. Install phpeditor on your system
  2. Login as admin
  3. Go to this link /pheditor/pheditor.php?logout=1
  4. See that you are logged out of phpeditor.

Impact

This vulnerability is capable of CSRF.

We are processing your report and will contact the pheditor team within 24 hours. 5 months ago
We have contacted a member of the pheditor team and are waiting to hear back 5 months ago
We have sent a follow up to the pheditor team. We will try again in 7 days. 5 months ago
We have sent a second follow up to the pheditor team. We will try again in 10 days. 5 months ago
We have sent a third and final follow up to the pheditor team. This report is now considered stale. 4 months ago
Hamid Samak validated this vulnerability 3 months ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Hamid Samak confirmed that a fix has been merged on 7660bd 3 months ago
Hamid Samak has been awarded the fix bounty
to join this conversation