Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is csrf vulnerability #20

Closed
czming123 opened this issue Apr 4, 2019 · 0 comments
Closed

There is csrf vulnerability #20

czming123 opened this issue Apr 4, 2019 · 0 comments

Comments

@czming123
Copy link

csrf vulnerability

In this vulnerability, if the admin user click the Fishing links the hacker provided, the it can generate a new user that can login in the website management background.

I review the code in the project, then I found that the code where the admin add other users, it has no protection for Cross-site request forgery.
image

image

so, I use burp to generate the CSRF Poc.
image
image

then, if the admin click the button(some csrf link), it generates a new user admin2 in the websie.
image
admin2 can login in the website background.
image

for more test, this vulnerability can also use to delete some user in the website.

@saysky saysky closed this as completed Apr 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants