On 16 Feb 2019, at 10:22 AM, zyfyc ***@***.***> wrote:
There is a CSRF vulnerability to reset password
first,let's use this account:
username=test and id=12
(In fact,we all know the id=1 and username=index1 is installer,but I have deleted.)
ok,poc:
ok,we reset the password of test and log in:
note:the exp we can get password by grab the return packet.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
But csrf vulnerability is used when you are logged in.What you can do is to add token to prevent it.I tested I could't add account by CSRF,maybe the act was intercepted.
On 16 Feb 2019, at 6:19 PM, zyfyc ***@***.***> wrote:
But csrf vulnerability is used when you are logged in.What you can do is to add token to prevent it.I tested I could't add account by CSRF,maybe the act was intercepted.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
There is a CSRF vulnerability to reset password
first,let's use this account:

username=test and id=12
(In fact,we all know the id=1 and username=index1 is installer,but I have deleted.)
ok,poc:
ok,we reset the password of test and log in:

note:the exp we can get password by grab the return packet.
The text was updated successfully, but these errors were encountered: