Description

I found that the CSRF vulnerability that I reported to you before (https://huntr.dev/bounties/1d8439e8-b3f7-40f8-8b30-f9cb05ff2bcd/) can still be exploited via the GET request.
An attacker is able to do unintentional action in the victim account by tricking other users clicking on the hyperlink in the malicious page of the project.
Furthermore, the user-id “uid” is also exposed via the JSON response.

1. Create a new group

Vulnerable URL

https://www.showdoc.com.cn/server/index.php?s=/api/itemGroup/save

Steps to reproduce

1.User A adds a new project then add another member (User B) to that project.
2.User A goes into that project, opens or edits a page.

When rendering to Markdown, the website does not filter and check the properties are valid, so when user A enters

[View me](https://www.showdoc.com.cn/server/index.php?s=/api/itemGroup/save)

It will render as <a href="https://www.showdoc.com.cn/server/index.php?s=/api/itemGroup/save">View me</a>

3.When user B views that page and if user B clicks on that hyperlink, a new group will be added to user B’s account.

Furthermore, the user id uid is also exposed via the JSON response:

{"error_code":0,"data":{"id":"2199","uid":"359287","group_name":"","item_ids":"","s_number":"0","created_at":"2021-12-20 22:15:14","updated_at":"2021-12-20 22:15:14"}}

Proof-of-Concept

You can check my PoC here: PoC

Impact

This can result in unintended code execution with the exposure of data.

=================================================

2. Forge user unintentional logout

An attacker is able to log out a user if a logged-in user visits the attacker’s website.

Vulnerable URL

https://www.showdoc.com.cn/server/index.php?s=/api/user/logout

Steps to reproduce

1.User A adds a new project then add another member (User B) to that project.
2.User A goes into that project, opens or edits a page.

When rendering to Markdown, the website does not filter and check the properties are valid, so when user A enters

[View me](https://www.showdoc.com.cn/server/index.php?s=/api/user/logout)

It will render as <a href="https://www.showdoc.com.cn/server/index.php?s=/api/user/logout">View me</a>

3.When user B views that page and if user B clicks on that hyperlink, he will be logout from showdoc.

Impact

This vulnerability is capable of forging users to unintentional logout.

More details

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token.

Note

While this cannot harm a user’s account, it can be a great annoyance and is a valid CSRF.