Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ModStartCMS V4.6.0 has a vulnerability, Cross-site request forgery(CSRF) #3

Open
Rookie-is opened this issue Aug 24, 2022 · 4 comments
Open

ModStartCMS V4.6.0 has a vulnerability, Cross-site request forgery(CSRF) #3

Rookie-is opened this issue Aug 24, 2022 · 4 comments
Assignees
@modstart
Labels
bug Something isn't working

Comments

@Rookie-is
Copy link

Build ModStartCMSv4.6.0 locally
Background, background permissions -> administrator -> add
image
Click to add a user test
image
packet capture
image
send csrf poc
image
image
image
Click to send,refresh background
image
image
New administrator test appears
@Rookie-is
Copy link
Author

本地搭建 ModStartCMSv4.6.0
后台,后台权限->管理员->添加
image
点击添加,添加管理员test
image
抓包
image
发送csrf poc
image
image

image
点击发送,刷新后台,test管理员添加成功
image
image

@modstart modstart self-assigned this Aug 25, 2022
@Rookie-is
Copy link
Author

可以为cookie添加SameSite 属性来解决这个问题

@Rookie-is
Copy link
Author

This problem can be solved by adding the SameSite attribute to the cookie

@modstart modstart added the bug Something isn't working label Nov 5, 2022
@modstart
Copy link
Owner

modstart commented Nov 5, 2022

released

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@modstart modstart

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Rookie-is @modstart