There are four CSRF vulnerability that can delete user and etc

[crazywa1ker]

vulnerability file: https://github.com/creditease-sec/insight/blob/open-source/srcpm/app/admin/views.py

1. line 61

@admin.route('/login_user_delete/<id>')
@permission_required('admin.login_user_delete')
def login_user_delete(id):
	lg_user_del = LoginUser.query.get_or_404(id)
	db.session.delete(lg_user_del)
	flash(u'删除用户 %s 成功' %lg_user_del.username)
	return redirect(url_for('admin.login_user_read'))

2. line 154

@admin.route('/role_perm_delete/<role_name>')
@permission_required('admin.role_perm_delete')
def role_perm_delete(role_name):
	role_perm_del = Permission.query.filter_by(role_name=role_name)
	#删除权限
	for r_p_d in role_perm_del:
		db.session.delete(r_p_d)
	flash(u'删除权限成功')
	#删除角色
	role = Role.query.filter_by(role_name=role_name).first()
	db.session.delete(role)
	flash(u'删除权限 %s 成功' %role_name)
	return redirect(url_for('admin.role_read'))

3. line 221

@admin.route('/depart_delete/<id>')
@permission_required('admin.depart_delete')
def depart_delete(id):
	depart_del = Depart.query.get_or_404(id)
	db.session.delete(depart_del)
	flash(u'删除部门成功')
	return redirect(url_for('admin.depart_read'))

4. line 293

@admin.route('/user_delete/<id>')
@permission_required('admin.user_delete')
def user_delete(id):
	user_del = User.query.get_or_404(id)
	db.session.delete(user_del)
	flash(u'删除人员成功')
	return redirect(url_for('admin.user_read'))

poc:

1.  Post one drops or comment contains this

![](http://127.0.0.1:9000/srcpm/admin/login_user_delete/[user id])

2. Wait admin to login and access the post.After admin query the img , one user will be deleted.

[shimmerming]

漏洞已修复，感谢对insight系统的关注，望以后多多交流，谢谢