Vulnerability Report : No CSRF protection here

yiisoft-contrib / yiiframework.com

Source code for official Yii website

http://yiiframework.com/

Other

261 stars 100 forks source link

Vulnerability Report : No CSRF protection here #426

Open fozi6044 opened 5 years ago

fozi6044 commented 5 years ago

Hi Team,

I am a security Researcher and I found this vulnerability on your website.

Vulnerability: No CSRF Protection here

So here I will show you how CSRF protection is needed or capture code is a need in Password Reset form. So here is the POST request which I captured through the burp. I will send it to the repeater. I will flood a lot of new passwords through multiple clicks. I can send you a proof of video

                                                                      Regards,
                                                                     Muhammad Fauzan

fozi6044 commented 2 years ago

any reward for me on this bug report?

samdark commented 2 years ago

Hello @fozi6044. First of all, it seems we forgot to thank you for report back then. Sorry. Second, unfortunately we don't have budget for bug bounties at this point as non-commercial OpenSource project. See https://www.yiiframework.com/security