[MajorSecurity SA-066]chillyCMS - change admin password via Cross-site
Request Forgery
Details
================
Product: chillyCMS
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.frozenpepper.de/chillyCMS/
Vendor-Status: informed
Advisory-Status: published
Credits
================
Discovered by: David Vieira-Kurz
http://www.majorsecurity.net/penetrationstest.php
Affected Products:
================
chillyCMS 1.1.2
Prior versions may also be vulnerable
Introduction
================
"chillyCMS is web based content management system."
More Details
================
We at MajorSecurity have discovered a vulnerability in chillyCMS, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to change the administrator's password by tricking a logged in administrator into visiting a malicious web site. The vulnerability is confirmed in version 1.1.2. Other versions may also be affected.
Proof of concept:
A proof of concept exploit has been sent to the maintainers and is available to MajorSecurity premium customers.
Solution
================
The web application should implement some validity checks to verify the requests before performing certain actions via HTTP requests.
Workaround
================
Do not browse untrusted sites or follow untrusted links while being
logged-in to the application.
MajorSecurity
================
MajorSecurity is a German penetrationtesting and security research company which focuses
on web application security. We offer professional penetrationstest, security audits,
source code reviews.
-- David Vieira-Kurz (CTO) Senior IT Security Consultant MajorSecurity Phone: +49 151 24 132 139 Web: http://www.majorsecurity.net Diese E-mail (sowie ihre Anhnge) ist vertraulich und nur fr den/die Adressaten bestimmt.