You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The change password function in csrf.php does not actually check the username or if a valid session has been established. It always returns 'Password changed successfully.' I would also rename it to cswsh.php as it is Cross-Site WebSocket Hijacking.
The text was updated successfully, but these errors were encountered:
Working on a fix for this. Thanks for raising it. Since the whole application is vulnerable to CSWH, I will skip renaming csrf.php to cswsh.php. I will update this issue when the fix has been pushed to the repository.
cz0r3k
added a commit
to cz0r3k/DVWS
that referenced
this issue
May 24, 2024
The change password function in csrf.php does not actually check the username or if a valid session has been established. It always returns 'Password changed successfully.' I would also rename it to cswsh.php as it is Cross-Site WebSocket Hijacking.
The text was updated successfully, but these errors were encountered: