Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is two CSRF vulnerability that can add the administrator account #1

Closed
f1veT opened this issue Apr 19, 2018 · 5 comments
Closed

Comments

@f1veT
Copy link

f1veT commented Apr 19, 2018

There is two CSRF vulnerability that can add the administrator account
After the administrator logged in,open the following one page.

POC:http://www.8sec.cc/archives/596

image
For example:

image

@yzmcms
Copy link
Owner

yzmcms commented Apr 21, 2018

然并卵,登录后台后本来就可以添加管理员,你CSRF添加和你正常添加本来就是一样的,没有意义

Repository owner deleted a comment from nr4v3n Dec 10, 2018
Repository owner deleted a comment from f1veT Dec 10, 2018
@yzmcms yzmcms closed this as completed Dec 10, 2018
@Macchiatto725
Copy link

..csrf是用来钓鱼的谁说是添加管理员了

@f1veT
Copy link
Author

f1veT commented Aug 20, 2019

..csrf是用来钓鱼的谁说是添加管理员了

所以开发人员没有懂得token的作用。

@yzmcms
Copy link
Owner

yzmcms commented Aug 20, 2019

YzmCMS v5.0 版本后,后台就新增了token验证了,感谢支持!

@NicoleG25
Copy link

@yzmcms
你能告诉我解决方法在哪里 ?
CVE-2018-10223 已分配
谢谢

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants