I found that the CSRF vulnerability that I reported to you before (https://huntr.dev/bounties/1d8439e8-b3f7-40f8-8b30-f9cb05ff2bcd/
) can still be exploited via the GET
request.
An attacker is able to do unintentional action in the victim account by tricking other users clicking on the hyperlink in the malicious page of the project.
Furthermore, the user-id “uid” is also exposed via the JSON response.
https://www.showdoc.com.cn/server/index.php?s=/api/itemGroup/save
1.User A adds a new project then add another member (User B) to that project.
2.User A goes into that project, opens or edits a page.
When rendering to Markdown, the website does not filter and check the properties are valid, so when user A enters
[View me](https://www.showdoc.com.cn/server/index.php?s=/api/itemGroup/save)
It will render as <a href="https://www.showdoc.com.cn/server/index.php?s=/api/itemGroup/save">View me</a>
3.When user B views that page and if user B clicks on that hyperlink, a new group will be added to user B’s account.
Furthermore, the user id uid is also exposed via the JSON response:
{"error_code":0,"data":{"id":"2199","uid":"359287","group_name":"","item_ids":"","s_number":"0","created_at":"2021-12-20 22:15:14","updated_at":"2021-12-20 22:15:14"}}
You can check my PoC here: PoC
This can result in unintended code execution with the exposure of data.
An attacker is able to log out a user if a logged-in user visits the attacker’s website.
https://www.showdoc.com.cn/server/index.php?s=/api/user/logout
1.User A adds a new project then add another member (User B) to that project.
2.User A goes into that project, opens or edits a page.
When rendering to Markdown, the website does not filter and check the properties are valid, so when user A enters
[View me](https://www.showdoc.com.cn/server/index.php?s=/api/user/logout)
It will render as <a href="https://www.showdoc.com.cn/server/index.php?s=/api/user/logout">View me</a>
3.When user B views that page and if user B clicks on that hyperlink, he will be logout from showdoc.
This vulnerability is capable of forging users to unintentional logout.
One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>"
anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token
.
While this cannot harm a user’s account, it can be a great annoyance and is a valid CSRF.